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TO REVIEW THE FEDERAL TRADE 

COMMISSION’S SURVEY OF PRIVACY 
POLICIES POSTED BY COMMERCIAL 

WEB SITES 


THURSDAY, MAY 25, 2000 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 9:30 a.m. in room SR- 
253, Russell Senate Office Building, Hon. John McCain, Chairman 
of the Committee, presiding. 

OPENING STATEMENT OF HON. JOHN McCAIN, 

U.S. SENATOR FROM ARIZONA 

The Chairman. Good morning. This morning the Committee will 
examine the recently released FTC report on online privacy. I wel- 
come the members of the Commission and all the witnesses we will 
hear from today to the Committee. I also want to thank all of you 
for the hard work and dedication you have brought to this difficult 
issue. 

Every accolade that can be ascribed to the Internet has been 
stated many times over. Needless to say, it continues to transform 
our lives and our economy. While the Internet promises great op- 
portunities, it also presents new concerns and fears. Chief among 
those concerns is the ability of the Internet to further erode indi- 
vidual privacy. 

Since the beginning of commerce, business has sought to learn 
more about consumers. The ability of the Internet to aid business 
in the collection, storage, and transfer of information about con- 
sumers, however, is unprecedented. 

While this technology can allow business to better target goods 
and services, it has also increased consumers’ fears about the col- 
lection and use of personally identifiable information. The Commis- 
sion documented many of these concerns in its report. 

Last year when the Committee reviewed the FTC’s 1999 report 
on privacy, I made clear that my primary concern was to ensure 
that privacy policies were clear and understandable, that con- 
sumers could use them to guide their decisions, and that companies 
actually followed the policies they posted. Improving the depth of 
privacy policies is the primary factor motivating this Committee’s 
interest in this matter. 

This year’s report demonstrates that the business community has 
had great success in providing consumers with some form of notice 
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of their information practices. However, the report makes it equally 
clear there is much work to be done to improve the depth of infor- 
mation practices on the Internet. 

Consumers should not be forced to forego what has been de- 
scribed by Justices Brandeis and Warren as the “sacred precincts 
of private and domestic life” to enjoy the benefits of this new me- 
dium. It is clear that businesses should inform consumers in a 
clear and conspicuous manner how they treat personal information 
and give consumers meaningful choices as to how that information 
is used. While we may disagree on the manner in which we meet 
this goal, we all agree that it must be done. 

I am hopeful that today’s hearing will begin the process of devel- 
oping consensus about the best way to accomplish this goal and en- 
able consumers to protect their privacy online. I look forward to 
working with all of you to address this vital issue. 

Welcome, Senator Hollings. 

STATEMENT OF HON. ERNEST F. HOLLINGS, 

U.S. SENATOR FROM SOUTH CAROLINA 

Senator Hollings. Well, Mr. Chairman, let me thank you for 
this hearing. We have toyed with the problem long enough. It wors- 
ens every day. Industry agrees that there should be privacy protec- 
tion. They have all enunciated privacy policies, but that has added 
more to the confusion rather than assisted the problem because it 
is written either in legalese or it cannot be found or understood. 

We have had the Federal Trade Commission, this distinguished 
group, work on it for at least 5 years. As a result of their fine work, 
incidentally, we passed a bill on children’s privacy, and that is 
working. The intellectual community is saying that this technology 
is advancing so quickly that you cannot keep up with it; it is silly 
to try to even draw up a statute about it because it will be obsolete 
by the time it is passed. 

That is not what they said when they came to us for protection 
of intellectual property, regarding movies, books, and everything 
else. We passed these other protections, and now we have got to 
do it for the individual. Mind you me, this is not a technology or 
advancement that was invented either by the Vice President or by 
the advertisers. It was started by Senator Stevens in the Defense 
Subcommittee back in the late sixties. 

It has been free. It will stay free. And unless you are commer- 
cializing privacy, you do not have any worry about any statute on 
privacy. This is for those who are taking individual private infor- 
mation and commercializing it. Internet companies have agreed 
that there should be some protection for privacy. The question is 
how to give notice and consent with respect to access to what infor- 
mation the companies do have as well as the enforcement of the 
security. 

So what we need to do is look at this issue. Several Senators 
have. I commend my colleagues Senator Wyden and Senator Burns. 
They have sort of led the way. I have consulted over the last 3 
months now with various Senators and the FTC and other entities 
interested in it, with industry, and with the consumer groups. We 
have a bill on course now with ten co-sponsors, and I think we 
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have got a pretty good target for a good approach, which is very 
necessary at this particular time. 

Do not let us come here and say that it is going to ruin the Inter- 
net and no longer is it going to be free. I have heard statements 
recently to that effect. That is outrageous nonsense. There is noth- 
ing wrong with the Internet. You and I cannot stop it. In fact, the 
President only yesterday said it is going to bring democracy to 
China. So it is a wonderful thing. 

I will include my full statement in the record. 

[The prepared statement of Senator Hollings follows:] 

Prepared Statement of Hon. Ernest F. Hollings, 

U.S. Senator from South Carolina 

Today the Committee will hear from the Federal Trade Commission, the agency 
with unique expertise on the issue of Internet privacy. Having studied privacy on- 
line for five years, and having issued three consecutive annual reports on privacy 
policies online, beginning in 1998, the FTC concluded this week that it is time for 
legislation to protect consumer privacy on the Internet. This recommendation car- 
ries with it particular credibility in light of the FTC’s record of extensive analysis 
on this issue and its two prior recommendations to allow self-regulation a chance 
to work. 

In light of this recommendation, how should we respond? To answer that ques- 
tion, I first want to recognize the constructive efforts of two of my colleagues on this 
Committee, Senators Burns and Wyden, who attempted the first foray into the com- 
plicated issue of Internet privacy when they introduced their legislation last year. 
I look forward to working with them as we grapple with this significant consumer 
issue. 

The bill that we introduced Tuesday with ten cosponsors, the Consumer Privacy 
Protection Act, grants consumers, not companies, control over their personal infor- 
mation on the Internet. We do that by coupling a strong federal standard to protect 
consumers online with preemption of state Internet privacy laws to ensure business 
certainty. Our strong federal standard tracks the time-honored “fair information 
practices” of notice, consent, access, security, and enforcement, that the FTC rec- 
ommends we codify, and that we did codify with respect to childrens’ privacy. 

Specifically, we require companies to do what some like Alta Vista are already 
doing — namely obtain prior consent from consumers before collecting and using or 
disclosing consumers’ personal information. At the same time, we need federal pre- 
emption to give industry the business certainty it cannot obtain from a mishmash 
of inconsistent state Internet privacy laws. 

Notwithstanding this sensible approach, industry will claim that we should ignore 
the FTC’s findings and give self-regulation more time. I say that is like letting the 
fox guard the henhouse. How can we trust companies whose every economic incen- 
tive is to collect, compile, enhance, target, and disseminate personal information for 
profit. Given these undeniable incentives, it is not surprising that industry argues 
so strenuously against regulating the protection of consumer privacy on the Inter- 
net. 

What industry forgets is the Internet is not theirs. The truth is, Internet owes 
its existence to federally funded research by the Defense Department in the late 
1960s. The DOD Advanced Research Project Agency (ARPA) developed a radical 
new type of computer based communications system. This system was enhanced and 
expanded to more users through funding via the national science foundation. To put 
it simply — the Internet was created for the public good — to facilitate scientific and 
academic research, to promote our national security, and to aid the exchange of 
ideas and information. The development of the Internet represents the single great- 
est modern example of government support for a revolutionary new technology. 
After its creation in 1969, the government sustained it for over two decades and now 
is subsidizing the commercial explosion on the Internet by refraining from imposing 
tax collection duties, and by exempting the Internet from regulations and fees that 
currently are imposed on other telecommunications companies. Protecting privacy 
online will enhance confidence in the medium and continue government’s important 
and ongoing role as a promoter of the Internet’s now exponential development. 

Industry also argues our approach will undermine some business models on the 
Internet that are based on customized advertising targeted to individuals whose per- 
sonal information has been collected. But The New York Times reports on May 7, 
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2000, that targeted advertising on the Internet may not be a sustainable business 
model. Most advertisers “say the response to their ads does not go up enough to be 
worth the extra cost and bother” of targeting. America Online’s Robert Pittman ap- 
pears to agree that targeted advertising is not necessary. “We don’t need to track 
people. If you want to sell cars, you talk to people when they are in the car area.” 
More to the point — we do not attempt to prohibit this advertising model on the 
Internet. We simply create a framework that requires that consumers be notified 
and consent to these practices, if businesses choose to collect information online. 

One last point. Many of the same companies that oppose privacy regulation on 
the Internet were up here seeking protection for their intellectual property on the 
Internet just three years ago. They demanded legislation to protect their books, 
records, music, and software from copyright infringement on the Internet. They in- 
sisted that such protection could be accomplished notwithstanding the rapidly 
changing technology of the online medium. Now, these same companies argue that 
any government attempt to protect privacy online can’t possibly comport with the 
rapidly changing technology in the industry. It’s funny how, on the one hand, they 
demand Congress protect their intellectual property online and, on the other hand, 
flatly oppose congressional efforts to protect consumers’ personal information on the 
Internet. 

The Chairman. Thank you very much, Senator Hollings. 

Senator Stevens. 

STATEMENT OF HON. TED STEVENS, 

U.S. SENATOR FROM ALASKA 

Senator Stevens. That one was long enough, Senator. You have 
got me becoming the grandfather. I do not want to get in a fight 
with A1 Gore. 

Senator Hollings. Well, we started it in defense. 

Senator Stevens. You are right about that. 

Mr. Chairman, I thank you for holding this hearing. I hope we 
have a series of hearings. I think this is one of the most complex 
issues we will face in regard to the Internet. I was privileged to 
have a discussion with the chairman here this past week. I look 
forward to working on it with all of you. 

But I do have a firm feeling that this is not an issue to be hasty 
about. So I am glad you are holding the hearing and I hope we can 
pursue and understand what we are doing before we bring out a 
bill from this Committee. 

Thank you. By the way, I am pleased to see all the members of 
the Commission here and to see that it was a unanimous position 
taken by the Commission. 

The Chairman. Thank you, sir. I think we may require more 
hearings on this issue. As you say, it is very complex and it is 
changing rather dramatically as we find out with the reports that 
we receive every year from the FTC. 

Senator Wyden. 

STATEMENT OF HON. RON WYDEN, 

U.S. SENATOR FROM OREGON 

Senator Wyden. Thank you, Mr. Chairman. I, too, appreciate 
your scheduling the hearing. At the outset, I want to thank Sen- 
ator Hollings for his kind comments. I think Senator Hollings’ bill 
is a very credible and very significant product. I want to assure the 
Senator I am looking forward to working closely with him. 

Mr. Chairman and colleagues, Senator Burns and I introduced 
more than a year ago an online privacy bill. At this point, when 
you have been following the issue it probably is a little hard to fig- 
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ure out how it can be that the last time the Federal Trade Commis- 
sion surveyed prospects for self-regulation things seemed very rosy, 
and now it appears that prospects are pretty dire. 

My sense is that we are going to find that reality is probably 
somewhere in between. The fact is that until this week’s survey, 
the Commission has shown extraordinary patience and support for 
industry self-policing. My read of the Federal Trade Commission’s 
report is that they are still showing support for self-regulation, but 
I think it is appropriate that they are showing a little less patience. 

In my opinion, the privacy situation was never as rosy as the 
headlines that last year’s survey had you believe. The reality then 
was that some of the surveyed privacy policies were just as flimsy 
as they are today. Further, there was virtually no enforcement, lit- 
tle accountability, and many less-visited Web sites were ignoring 
privacy altogether. 

The truth today, I suspect, is that things are not nearly as dire 
as some would have us believe. While the same problems exist 
today that were in place at the time of the previous survey, there 
are important steps indicating progress. The seal programs, I 
think, are getting better at what they do, and it does seem that 
more Web sites are taking privacy more seriously. 

But, for more than a year, Senator Burns and I, as I stated ear- 
lier, have worked on this on a bipartisan basis and have said that 
the costs are just too high to wait and see if self-regulation alone 
can tackle the bulk of the online privacy problem. None of us, none 
of us, want to see an Exxon Valdez of privacy that undermines the 
extraordinary growth of e-commerce. 

So the worst thing that we could do now is set back the progress 
of self-regulatory efforts. But what I think makes the best sense is 
to build on those kinds of approaches. That is what Senator Burns 
and Senator Kohl and I have sought to do, to reward and build on 
the self-regulatory efforts while creating a baseline set of require- 
ments to ensure that there are important consumer protection 
standards that would apply to those who are unwilling to take con- 
sumer privacy seriously. 

Mr. Chairman, I would ask that the rest of my statement be part 
of the record. I look forward to hearing from Chairman Pitofsky 
and, again, commend Senator Hollings and Senator Rockefeller for 
what I think is a very important bill that they have introduced as 
well, and I yield back. 

[The prepared statement of Senator Wyden follows:] 

Prepared Statement of Hon. Ron Wyden, U.S. Senator from Oregon 

I’m sure many who have been following the online privacy issue in the news- 
papers are asking themselves how the situation at the time of the last FTC survey 
could be so rosy, and could now be so dire. I would counsel them that the truth, 
as usual, probably lies somewhere in-between. 

The fact is that until this week’s survey, the Commission showed extraordinary 
patience and support for industry’s effort at self-policing. And by my reading of the 
report, they are still showing support for self-regulation: just a little less patience. 

Frankly, the privacy situation was never as rosy as the headlines from last year’s 
survey would have had you believe. The reality was that some of the surveyed pri- 
vacy policies were just as flimsy then as they are today. Further, there was virtually 
no enforcement, little accountability, and many less-visited Web sites were ignoring 
privacy altogether. 
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And the reality now, I suspect, is that things aren’t nearly as dire as some would 
have us believe. While the same problems exist today as were in existence at the 
time of the previous survey, the seal programs are clearly maturing and getting bet- 
ter at what they do, and more Web sites are taking privacy seriously than ever be- 
fore. 

For over a year, however, I have been saying that the costs are simply too high 
to wait and see if self-regulation, alone, tackles the bulk of the online privacy prob- 
lem. I am pleased that the Commission now agrees with Chairman Burns and my- 
self on this point. We also agree — and look forward to their amplification of this 
point — that the worst thing we could do now is set back the progress of the self- 
regulatory efforts. 

Chairman Burns, Senator Kohl, and I have legislation that is founded on the idea 
of rewarding and building on the industry’s self-regulatory efforts, while creating a 
baseline of behavior for those who are unwilling to take consumer privacy seriously. 
We believe that if some regulation is necessary, the lightest practicable regulatory 
touch should be used to protect consumers. Sensible regulation need not, and should 
not, stifle private sector innovation. 

Several other members now have introduced online privacy bills, or have bills in 
the works. Senator Hollings has a new privacy bill with Senator Rockefeller and 
others, and it strikes me as a very credible and significant effort. Their bill raises 
a number of important issues, such as consumer choice with regard to personally- 
identifiable information, and I look forward to the Committee reviewing both bills, 
and others, as the debate moves forward. 

I’ll let the Commission speak for itself, but I think it’s clear from the report that 
the Commission isn’t here today to bury self-regulation, but to praise it. I sure hope 
that’s the case. I look forward to hearing from Chairmen Pitofsky and the rest of 
the Commission, and thank the Chairman for holding this timely and important 
hearing. 

The Chairman. Senator Burns. 

STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. Thank you, Mr. Chairman, and thank you for 
holding this hearing today, as this continues to be a great center 
of interest when we start talking about the Internet and related 
items around it. 

I think we are charged with issues like this today. If the Internet 
and electronic commerce continue to grow, we have to do something 
about safety and security and privacy and these types of things for 
it to reach its real potential. We have been amazed at the con- 
tinuing spectacular growth of the Internet, which has become a sta- 
ple in modern life, it seems. The tremendous reach of the Internet 
does pose challenges as well as opportunities. 

Unfortunately, digital technology can be used by bad actors to 
collect nearly limitless information on individuals without their 
knowledge. I am convinced that legislation is necessary to provide 
consumers with a safety net of privacy in the online world. As I 
stated in the hearing on privacy held in the Communications Sub- 
committee last summer, I am very disappointed — I was very dis- 
appointed — in the Federal Trade Commission’s report on online pri- 
vacy last year. The July 1999 report acknowledged that fewer than 
10 percent of the Web sites met the basic privacy protections, yet 
called for no Federal legislation to address this critical situation. 

However, at that time I was encouraged by the chairman’s 
pledge that if the industry failed to produce strong progress the 
Commission would call for action in this area. The chairman and 
the Commission have been true to their word in the report issued 
to Congress just this last Monday, which called for legislation. 
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I want to take a moment to specifically commend the work and 
the insight of Commissioner Anthony on these privacy matters. In 
retrospect, her dissenting opinion in last year’s report has proved 
to be absolutely correct. Last year she stated that the legislation 
was necessary to ensure a minimum consumer privacy protection 
in the digital area. In her statement she expressed concern that the 
absence of effective privacy protection would undermine consumer 
confidence and hinder the advancement of electronic commerce. 

That is exactly what has happened in this past year. While e- 
commerce has continued to grow, several studies point out that the 
primary reason that is preventing more people from making pur- 
chases online and doing more business online is the lack of privacy. 
While the Internet has continued to exhibit massive growth, less 
than 1 percent of all consumer retail spending is done online. In 
short, e-commerce still has a huge up side potential, but the poten- 
tial will never be fulfilled without basic assurance of consumer pri- 
vacy. 

I am going to submit the rest of my statement, but I want to 
thank Senator Wyden and his hard work on our legislation. It con- 
tinues to be massaged and to be made better. 

I also welcome the introduction of Senator Hollings’ piece of leg- 
islation and look forward in working with Senator Hollings, be- 
cause we can find and take care of this problem, because it has to 
be done in a bipartisan way and it is not a partisan situation 
where we start talking about these building blocks of the future e- 
commerce of this country. So we welcome all of these ideas, and I 
am sure that we will come up with a bill that we can all support. 
So I appreciate that very much. 

I would ask unanimous consent that the rest of my statement be 
put in the record.* 

The Chairman. Without objection. 

Senator Hollings. Who is next? Senator Bryan. 

STATEMENT OF HON. RICHARD H. BRYAN, 

U.S. SENATOR FROM NEVADA 

Senator Bryan. Thank you very much. 

First, I would like to preface my comments by thanking Chair- 
man McCain for calling today’s hearing on this important issue of 
Internet privacy. Second, I would like to commend the FTC for all 
the work that it has done over the past 5 years in the area of on- 
line privacy. Each of the FTC’s three reports to Congress detailing 
online privacy practices and the numerous workshops and hearings 
they have held on this issue have contributed greatly to the ongo- 
ing dialog about the best way to protect the privacy of consumers 
on the Internet. 

The protection of privacy is a core value of our democratic soci- 
ety. Although not mentioned explicitly in the Constitution, the Su- 
preme Court has recognized that a fundamental right to privacy is 
embodied in both the Fourth and the Fourteenth Amendments to 
the Constitution. The right to privacy recognized by the court is a 
reflection of our citizenry’s long-held expectation that they should 


*The information referred to was not available at the time this hearing went to press. 
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be able to engage in a range of day to day activities with a signifi- 
cant degree of autonomy and confidentiality. 

The Internet presents new challenges as well as new opportuni- 
ties for the protection of privacy. The sheer volume of personal in- 
formation that is exchanged on a daily basis between individuals 
and businesses on the Internet, coupled with the ability of other 
entities to track the flow of this information with relative ease, 
poses serious privacy concerns for many customers. 

A recent survey showed that 92 percent of consumers are con- 
cerned about the misuse of their personal information online. Con- 
versely, the architecture of the Internet provides an opportunity for 
technology to enhance online privacy. Many innovative companies 
are focusing more and more resources on the development of pri- 
vacy-enhancing tools that will enable consumers to have more con- 
trol over the use of their personal information. 

I agree with the recommendation of the majority of the Commis- 
sion that the time has come for the Congress to establish a baseline 
standard for the protection of consumer privacy on the Internet. 
Earlier this week, I was pleased to join the distinguished Ranking 
Member of this Committee, Senator Hollings, in introducing con- 
sumer privacy legislation that largely tracks the recommendations 
of the majority FTC report. This legislation builds upon the frame- 
work of legislation that was established in legislation that I offered 
in the children’s online privacy protection, which just took effect 
last month. It embodies the four widely accepted fair information 
practices: notice, choice, access, and security for the collection of 
personally identifiable information about consumers online. 

The Commission’s report does indicate that the industry has 
made progress with self-regulatory initiatives. But in spite of this 
progress, however, I remain concerned about the effectiveness of 
online privacy seal programs, especially in the area of enforcement. 
I agree with the Commission that legislation is necessary to com- 
plement the industry’s self-regulatory efforts in order to enhance 
adequate protection of consumer privacy. 

I fully understand the industry’s concerns with the regulatory 
approach to protecting privacy on the Internet. But I am hopeful, 
however, that they will come to view this effort as an opportunity 
to enhance consumer confidence in e-commerce, much like what oc- 
curred in the offline world with the credit card industry in the 
1970’s. I look forward to working with the industry, much as I did 
during the Committee’s consideration of the Children’s Online Pri- 
vacy Protection Act, to enact a responsible piece of legislation that 
adequately protects consumer privacy online in a manner that does 
not unduly burden the growing importance of e-commerce in the 
marketplace. 

Senator Stevens [presiding]. Senator Ashcroft. 

STATEMENT OF HON. JOHN ASHCROFT, 

U.S. SENATOR FROM MISSOURI 

Senator Ashcroft. Thank you very much. Thank you very much, 
Mr. Chairman. Thank you for holding today’s hearing. 

I do not see this hearing as merely discussing a report from a 
Federal agency to Congress. I think this hearing will help us deter- 
mine whether the Federal Government should develop a significant 
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and sweeping regulatory scheme. We are here to understand 
whether the growth of a flourishing high-tech industry would be 
hindered by such an involvement. We must discuss this issue in 
terms of whether or not the American people will be well served 
by significant government involvement in this dynamic industry. 

We should ask ourselves whether it will continue to grow or will 
it continue to provide jobs, new opportunity, and education and re- 
search. We should ask whether the involvement of government bu- 
reaucrats will dramatically diminish the new efficiencies gained by 
conducting business on the Internet. 

All of us are concerned about consumer privacy. I am concerned 
that consumers who want privacy should have privacy. In fact, 
Congress recently has recognized through statutes which apply to 
every segment of the economy that sensitive consumer information, 
such as financial and medical records, should be treated with extra 
care. I would point out that those regulations apply to everyone, 
not just companies who conduct business in the traditional brick 
and mortar sense. But the privacy laws which we now have in 
place already apply to companies doing business on the Internet. 

However, through the fear-mongering from Washington, in some 
situations consumers have been led to believe that there are no 
protections in place on the Internet, and that is simply not true. 
Not only do our new privacy laws apply to Internet transactions, 
so do our consumer protection laws. In fact, we have heard glowing 
testimony before this Committee about the work of the FTC, about 
the work that the FTC has done to fight consumer fraud on the 
Internet. The Internet has even been credited with giving the FTC 
new and powerful tools to fight such fraud. 

A few months ago the FTC Commissioners sat before this Com- 
mittee to discuss this very issue, and at that time I was concerned 
that the latest Internet sweep was predestined to reach the conclu- 
sion contained in the Commission’s report, that is that there need 
to be special regulations that apply to the Internet that do not 
apply to other collections of data, do not apply to other businesses, 
and do not apply to the other utilizations of data in our culture. 

For example, when people promote through the distribution of 
coupons refund opportunities for individuals who buy products, 
people mail in those refund opportunities. There are not special 
laws that relate to what they can do with that information or how 
it can be used. It is not on the Internet, but it is the collection of 
consumer data and it is distributed widely. 

Many people like the opportunity to participate in refund 
schemes and are willing to trade the value of the refund for the uti- 
lization of that information, which is consumer data, by businesses. 
It is a big part of the way we do business in this country. In our 
household, my wife scarcely lets a refund offer go by without col- 
lecting the labels necessary to cash in. As a matter of fact, she 
keeps a file of labels so that when the offer comes out she does not 
have to go buy additional products; she already has the labels 
ready to mail them in. 

Now, I would just point out that I think we have got to be careful 
that we do not impose on the Internet unnecessary regulation that 
is differential, specially designed, and would curtail and confine the 
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Internet from operating in ways that we do not ask for responsi- 
bility or we do not ask for regulation on the rest of commerce. 

Further, I think we ought to make sure that when we are talking 
about choice we allow people the choice of saying that they want 
to receive data based on the kinds of practices they have and they 
are interested, for instance, in getting offers from companies and 
the like based on the kinds of interest they have expressed in pur- 
chasing patterns, whether it be through refund coupons or other 
devices. 

Although regulating the Internet was the recommendation fol- 
lowing the sweep by the Commission, I am a little confused about 
how the numbers really move us toward that result. Two years ago 
a sweep showed that 14 percent of Web sites had privacy policies. 
Today 90 percent posted policies. That really says that, in an in- 
dustry that showed a 543 percent improvement in 2 years, that it 
was deemed to be failing in self-regulation. 

So in the interest of time and because the witnesses will address 
this issue, I will not mention all of the significant work done by in- 
dustry to improve privacy and security on the net. I just want to 
say that I hope that we do not single out the Internet for a kind 
of regulation which would stifle it, which would limit the kinds of 
choices consumers have, and make the Internet a place where it 
would be difficult to grow business in the same way that it might 
be available for growth in other settings. 

With that note, I want to indicate again how I respect privacy 
and want to be able to protect privacy, but I do not have a clear 
picture of how I want to inhibit information on the Internet that 
is not inhibited in other sectors of our economy. 

Thank you. 

Senator Stevens. Senator Kerry. 

STATEMENT OF HON. JOHN F. KERRY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Kerry. Mr. Chairman, thank you very much. 

I am delighted that Senator McCain has called this hearing. I 
think there is going to be a unanimity among most of us on the 
Committee, as there is probably among most Americans, that they 
want their privacy protected. I applaud the FTC and the analysis 
that they have put into this, and I particularly respect the effort 
of Senator Hollings and colleagues on the Committee who drafted 
some legislation and who have moved in that direction. 

But I differ a little bit with some of them with respect to the de- 
gree to which at this stage, at a 5- or 6-year point in terms of the 
development of the net, that Congress has the ability to move 
adroitly enough, fast enough, with sufficient analysis and informa- 
tion, to be able to properly regulate something that is developing 
even as we sit here so rapidly, with so many technological advances 
that have the ability to answer some of our questions without our 
constricting the creativity and the efforts that are going into this. 

It seems to me that there are certain principles we could adopt, 
for instance anonymity. What I hear from people in the industry 
is that the technology is moving fast enough that there are ways 
that the offerings of the marketplace are going to make it very 
clear to people that they can use one service or another that pro- 
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tects their privacy and protects their options, without our setting 
up a rigid, strict structure, at least at this point. 

I think the FTC sort of adopted this up until this sudden point, 
and one of the questions today obviously is why there is the mo- 
ment of departure. Maybe they do not think things have moved 
fast enough, obviously. But initially self-regulation was certainly 
their guiding theory, and this is the first moment of departure from 
that. 

The opt-in requirement on the whole, while obviously I favor opt- 
in as a principle and I think most Americans are going to want 
that kind of choice and demand it in the marketplace, but in point 
of fact to mandate that actually sets a standard that in some cases 
in terms of marketplace behavior is neither necessary nor techno- 
logically sound. There are certain instances where certain kinds of 
marketing can take place that do no harm to people, they may 
choose to participate in it; you do not require that kind of burden. 

I think the Committee is very much behind the curve, the coun- 
try is behind the curve, in analyzing the degree to which we are 
drawing distinctions for the online world that we do not draw in 
the offline world. When you go to a local store here, let us say you 
go in Georgetown, you visit some store and buy a bunch of goods 
and you swish your card through the thing when you leave, that 
entity could determine everything you bought. They can market ac- 
cordingly. 

I mean, I must get 40 or 50 magazines every 3 weeks that are 
targeted based on my offline behavior. Yet we are about to require 
language restrictions that have no relationship to what is hap- 
pening in the offline world, and I do not think we have thought 
that through adequately. 

So I think there is a lot more analysis that needs to be done, and 
I am going to introduce legislation that I think will kind of balance 
these interests, where we can establish what we think are the 
goals and principles by which this ought to be in its earliest stages 
developed. There ought to be maximum amount of opt-in, there 
ought to be anonymity. Clearly, in the marketing you do not have 
to know that it is John Smith at Myrtle Street. You have to know 
that X number of goods are being bought in a certain area by cer- 
tain demographics. But there are ways to protect the privacy with- 
out our becoming, I think, extraordinarily mandating at the federal 
level. 

I might add to that that it seems to me there are very significant 
realities of the marketplace, that Americans are going to opt for 
those entities that most protect them if that is what indeed they 
want. And if they do not want it, they can also have the oppor- 
tunity to make that kind of conscious choice. 

There is clearly a difference between what happens in opt-in and 
opt-out. We all know it. I will wrap it up very quickly. We fought 
that out on the Banking Committee last year and in the Financial 
Modernization Act. It seems to me that also we have not really bal- 
anced some of those kinds of equities in how the market works. 

In my judgment, Mr. Chairman, I think we have to be very, very 
careful on this Committee and in the Congress not to move fast. 
I think there are ways to protect Americans, to protect our inter- 
ests, protect our prerogatives to come back, protect the capacity of 
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the FTC to, in fact, regulate and enforce and, if we were to set ade- 
quate standards and goals, the FTC would, in fact, be leveraged in 
its capacity to enforce, particularly if each company adopts its own 
privacy regime. 

So I hope we are going to measure this carefully and not move 
overly rapidly, and I hope the Committee can find a consensus on 
this with some careful deliberation. Thank you, Mr. Chairman. 

Senator Stevens. Senator Gorton. 

STATEMENT OF HON. SLADE GORTON, 

U.S. SENATOR FROM WASHINGTON 

Senator Gorton. I will pass. 

Senator Stevens. Thank you. 

Senator Rockefeller. 

STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 

U.S. SENATOR FROM WEST VIRGINIA 

Senator Rockefeller. Thank you, Mr. Chairman. 

I do not think the problem is whether we move slowly or quickly. 
This Committee has a history of not reacting at all on issues that 
we do not understand and, therefore, we have got to give ourselves 
ample time. 

Well, there is no such thing as ample time in the world of the 
net. There is no such thing as ample time if I have diabetes, for 
example, and that is my own private information and that gets out 
and it is sold to a third party, and there are not controls, and I 
cannot get a job. That example is used often. 

This is a different world. To compare, as the Senator from Mis- 
souri did, this — “Missoura” — this medium that we are talking 
about to sort of other things and what transactions he and his wife 
might make at home, is behind the curve. This is a new world. 

There has been a 548 percent increase in online disclosure and 
privacy policies. Of course that is exactly what the FTC looked at, 
and it is the quality of what the privacy policies say. Can you find 
them? Can you read them? Is the print big enough, and is it writ- 
ten in words that only those who are lawyers can understand? The 
American consumer is not always the most sophisticated, and the 
American consumer when on the net or on a Web site is almost al- 
ways in a hurry and does not take the time. It is simply under- 
standing human nature in a medium which is changing and then 
rechanging every 6 to 8 months. 

So this is not a question of should we wait and make sure that 
we do absolutely the most perfect thing. There are hundreds of 
thousands or millions of people whose lives are going to be inter- 
vened with in ways that are dramatic and dangerous if this Com- 
mittee does not pass a bill which supports what the FTC basically 
says. That is, that the work is not being done sufficiently. 

I would remind the Senators from Massachusetts and Missouri 
that we heard all these same arguments back in the 1970’s when 
the credit cards started up. The credit card industry was all over 
everybody saying that you cannot regulate us. And it was only, in 
fact, when we did put regulations on the credit card industry that 
the 90 percent of American consumers who at that time perhaps 
were not using credit cards or who are not at this point on Web 
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sites or using the Internet the way they might gained confidence 
in precisely the industry that had just gone through some form of 
regulation. 

It was the regulation and thus the privacy and the access and 
the security that in fact helped the industry to attract users. So it 
is a cliche to say, but it is through judicious and cautious regula- 
tion not irrational exuberance that will help protect Americans and 
which will also help the industry grow. 

We will make a mistake here if we apply traditional values to 
our legislative course. 

Senator Stevens. Thank you. 

Senator Cleland, do you have an opening statement? 

STATEMENT OF HON. MAX CLELAND, 

U.S. SENATOR FROM GEORGIA 

Senator Cleland. Yes, sir, I do. Thank you very much, Mr. 
Chairman. 

More and more as a Member of this Committee, I feel like I am 
in a cul de sac on the information highway. I am still struggling, 
trying to find out what it is all about. I was thinking this morning 
of how to equate what we are facing now with what I understood. 
I am from a small town, and it was not that many years ago in 
my little town that there were only four numbers involved with a 
telephone. And it was a totally public line. It was a party line, it 
used to be called, and basically everybody else knew each other’s 
business. My State director, who is only 5 years older than I am, 
remembers when he would go home from school in the afternoon, 
pick up the phone, call the switchboard operator and say: Where 
is my mother? And she would say: Over at Grade’s. 

I wonder if here in the early days of the Internet that everybody 
that is online is actually on a party line and does not know it. 

The information superhighway began just a few short years ago 
as a footpath and now it is an unlimited expressway. People can 
now use the Internet to shop at virtual stores located thousands of 
miles away, find turn-by-turn directions to far away destinations, 
and journey to hamlets, cities, and states across the country. 

While the virtual world is available to us with just a few key- 
strokes and mouse clicks, there is one area of the Internet that 
many are finding troublesome. It is the collection and use of per- 
sonal data. All too often, web surfers are providing personal infor- 
mation about themselves without their knowledge and consent. It 
is a party line, except people do not know they are on a party line. 

There is so much information being collected on people visiting 
Web sites today that it would take several buildings the size of the 
Library of Congress to store it all. That is a lot of information, 
much of which is very personal, and I believe it must be kept that 
way. 

My concern about privacy on the Internet is that this issue is 
keeping people from fully enjoying the marvelous technology avail- 
able to them. According to a recent survey by the Center for De- 
mocracy and Technology, consumers are fearful of the sale of their 
personal information to others and Web sites tracking people’s use 
of the web. I think the term “cookies” is a fascinating term. I love 
cookies, but not this way. 
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This survey seems to be pointing to the same argument that was 
made when credit cards were first introduced to the American pub- 
lic. At that time credit cards did not initially enjoy widespread 
usage because of the potential misuse by others, but it was only 
after regulatory intervention to protect consumers that this fear 
was somewhat dispelled. We should learn this lesson from the 
Internet and the challenges that it is experiencing over privacy 
concerns. 

These concerns are translating into lost opportunities for con- 
sumers and businesses. Now, most of the dot-com companies doing 
business over the Internet today are very cognizant of the fact that 
privacy is a major concern. However, in a report you just released, 
you found that 92 percent of the Web sites that you surveyed were 
collecting great amounts of personal information from consumers 
and only 14 percent disclosed anything about how the information 
would be used. 

Interestingly enough, the report, your report, found that a mere 
41 percent, less than half, of the randomly selected Web sites noti- 
fied the visitor of their information practices and offered the visitor 
choices on how their personal information would be used. Now, this 
report seems to suggest to me that industry efforts by themselves 
are, indeed, not sufficient to control the gathering and dissemina- 
tion of personal data. 

At one Web site visit, a company can collect some very inter- 
esting facts about the person who is on the other end without them 
knowing it. While surfing the web the other day, I hit on a Web 
site that provided me with the insight into just how much informa- 
tion can be collected. In less than a minute, the site reported what 
other sites I had visited, what sites I would likely visit in the fu- 
ture, what plug-ins are installed on my PC, how my domain is con- 
figured, and a lot more information that I did not really under- 
stand. 

Many consider this type of tracking akin to stalking. I believe 
that the information that can be collected by Web site administra- 
tors can create problems for people through a violation of trust and 
invasion of privacy. I would say, as an old Army signal officer, I 
know that you cannot communicate important data unless you 
have a feeling that it is secure. Novice Internet users generally are 
unaware, as I was until visiting this site, of the extent of informa- 
tion being collected on them. Even those who are aware of the ca- 
pabilities of firms to collect private data are frightened by what can 
happen. 

I believe in increasing the level of protection for private informa- 
tion to a level that the people of our nation and the dot-coms can 
live with, and I believe in providing assurances to those who are 
providing information that their privacy rights will be protected. It 
seems reasonable to me that firms that are collecting private data 
should notify consumers of the firm’s information practices, offer 
the consumer choices on how the personal information will be used, 
allow consumers to access the information that is collected on 
them, and require those firms to take reasonable steps to protect 
the security of that information. 

However, I am looking forward to learning more about the Inter- 
net privacy issue this morning and hearing from experts like these 
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wonderful people at the table, Mr. Chairman, and the rest of our 
distinguished testifiers. 

Thank you very much. 

The Chairman [presiding]. Chairman Pitofsky, welcome. I am 
sorry for the delay. I apologize to all the Commissioners. Chairman 
Pitofsky. 

STATEMENT OF HON. ROBERT PITOFSKY, 
CHAIRMAN, FEDERAL TRADE COMMISSION 

Mr. Pitofsky. Thank you, Mr. Chairman, Senator Hollings, 
members of the Committee. I welcome this opportunity to once 
again appear before this Committee to discuss this important sub- 
ject, especially because this Committee has supported so consist- 
ently and so well our efforts to deal with the kinds of problems we 
will discuss today. 

As you know, the Commission has been active in the area of pro- 
tecting consumers on the Internet since 1995. To a large extent we 
have dealt with fraud on the Internet, but we have also addressed 
questions of privacy. 

We all know that the Internet commerce sector of the economy 
is growing at an amazing pace. But we also know that many peo- 
ple, some surveys say over 90 percent, are apprehensive about the 
way their private information is being used, including people who 
go ahead and buy things on the Internet. 

Most observers believe that consumer protection would require 
four fair information practices. Incidentally, the business commu- 
nity in their seal programs and elsewhere have also indicated that 
these are the four bases that need to be touched. 

First, notice: What information is being collected and what are 
the collectors doing with it? Consumers ought to know that. 

Choice, the opportunity of consumers to say that we do not want 
this information used for any purpose other than completion of the 
transaction. 

Most people also think that there ought to be some access, so if 
sensitive information is involved in the data base and it is wrong, 
there is an opportunity to correct it, so that consumers are not in- 
jured by errors. 

The fourth practice involves an obligation to keep the informa- 
tion firms collect secure. 

The debate really concerns whether these rights can be achieved 
through legislation or through growing efforts of responsible com- 
panies in the field to engage in self-regulation. My own view is that 
neither legislation alone nor self-regulation alone is the right an- 
swer, but it ought to be some combination of the two. 

I applaud the progress that has been made in self-regulation in 
recent years. On the matter of notice, we have gone from 14 per- 
cent notice on all Web sites to 88 percent notice on all Web sites 
in a little over two years. The question has been raised: If that is 
the case, why has a majority of the Commission changed its view 
about the adequacy of self-regulation? I would make a number of 
points. 

First of all, the 88 percent figure is a little misleading. It in- 
cludes “notice” that says in effect, “we protect your privacy,” or it 
could include notice that says, “we do not protect your privacy.” 
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The fact of the matter is if you ask the questions, “how many of 
these notices actually tell consumers what information is collected 
and how it is used?” then the figure falls down to about 55 percent 
for all sites, 89 percent for the most visited sites. 

If you ask the questions, “what about all four information prac- 
tices? Are they being adequately addressed through self-regula- 
tion?,” it turns out only 20 percent of firms on the Internet, one in 
five, have adopted all four fair information practices. 

Some have said, “Well, but access and security are difficult to un- 
derstand, the industry is slow to move in those two areas.” All 
right, let us leave out access and security and ask only about notice 
and consent. There, on all Web sites, we find only 41 percent have 
notice and consent, 60 percent of the most traveled sites. 

Finally, the whole notion of self-regulation requires that compa- 
nies be part of seal programs and if they do not abide by self-regu- 
latory standards, the seal will be taken away. Well, we find in that 
area, even though these seal programs have been working for over 
a year and a half, almost 2 years, 8 percent of Web sites are mem- 
bers of seal programs. That does not seem adequate. 

What is to be done? First let me say again that self-regulation 
has achieved a good deal and has an important role to play in the 
future. I have always been a strong advocate of self-regulation. It 
works in many sectors of the economy. But I tell you on the basis 
of my experience that the most effective self-regulatory programs 
are those that have a rule of law to back them up, so that the self- 
regulators can then say to the irresponsible few who do not go 
along with the standards that their behavior will be referred to a 
law enforcement agency. 

The idea that the self-regulators can go to the less responsible 
few and say, if you continue to collect and sell this information 
without permission at a profit to third parties we are going to take 
your seal of approval away from you, just does not get the job done. 
It helps, but it is not in my opinion adequate. 

Second, I do believe that Congress must be cautious in this area 
and not impose on this growing and wonderful pro-consumer mar- 
ketplace burdens that will hamper the development of the market- 
place. 

Third, as our report tries to emphasize, there are many com- 
plicated questions that arise here: What is adequate notice? How 
much access is required? What do we mean by “security”? There- 
fore, I applaud those who say that we should be careful; we should 
get it right rather than rush to any judgment in this area. 

Any legislation should be sufficiently flexible so that if there are 
technological solutions — and we hear about them all the time — if 
they really develop then they should be incorporated and they 
should be allowed to protect consumers rather than direct govern- 
ment regulation. 

Finally, an issue that has been raised by several: Why are we 
emphasizing consumer protection online and not offline? First of 
all, it is possible to manipulate data online in a very special way. 
But more important than that, in our report we address the ques- 
tion of online privacy. We have not examined the question of offline 
privacy. Slowly, I have come around to the view, as we have moved 
through this area, that the argument that offline and online should 
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be treated in a radically different way just does not hold up and 
we should be addressing whether or not consumers offline, deserve 
protection as well. 

Let me conclude my remarks with a reference to some basic prin- 
ciples. Millions of people now enthusiastically shop online and they 
have no problem at all supplying personally identifiable informa- 
tion — names, addresses, credit card numbers if necessary, even so- 
cial security numbers — if necessary to complete the transaction. 
But many sellers on the Internet are not just in the business of 
selling a product or selling a service, but rather they are in the 
business of accumulating data — the books we read, the music we 
hear, the pharmaceuticals and cosmetics we buy, our travel and va- 
cation plans, the information we research, on and on and on. And 
that is often sold at a profit to third parties with whom we have 
no direct connection whatsoever. We do not even know who they 
are or what they are doing with that information. 

Many people do not object to that either, as long as they have 
an opportunity to say to the online seller: “If that is what you are 
going to do with the data, just leave me out; I visited your Web site 
to buy a product, not to provide information about my life, my fam- 
ily, my habits, or my economic class.” 

I think that is the goal that virtually all of us share. We must 
make sure that that option is available to consumers on the Inter- 
net. They should not be required to forfeit their privacy online in 
exchange for the rich benefits of electronic commerce. Careful, non- 
burdensome legislation, backed up by effective self-regulation, and 
the legislation would set minimum standards, seems to me at this 
point the right way to go. 

Thank you very much. 

[The prepared statement of Chairman Pitofsky follows:] 

Prepared Statement of Hon. Robert Pitofsky, Chairman, 

Federal Trade Commission 

Mr. Chairman, I am Robert Pitofsky, Chairman of the Federal Trade Commission. 
I appreciate this opportunity to present the Commission’s views on the privacy 
issues raised by the collection and use of consumers’ personal information by com- 
mercial sites on the World Wide Web . 1 

I. Introduction and Background 

A. FTC Law Enforcement Authority 

The FTC’s mission is to promote the efficient functioning of the marketplace by 
protecting consumers from unfair or deceptive acts or practices and to increase con- 
sumer choice by promoting vigorous competition. As you know, the Commission’s re- 
sponsibilities are far-reaching. The Commission’s primary legislative mandate is to 
enforce the Federal Trade Commission Act (“FTC A”), which prohibits unfair meth- 
ods of competition and unfair or deceptive acts or practices in or affecting com- 
merce . 2 With the exception of certain industries and activities, the FTCA provides 
the Commission with broad investigative and law enforcement authority over enti- 
ties engaged in or whose business affects commerce . 3 Commerce on the Internet 
falls within the scope of this statutory mandate. 


!The Commission vote to issue this testimony was 5-0. Commissioners Anthony, Thompson, 
Swindle, and Leary have issued separate statements, which are attached. 

My oral testimony and any responses to questions you may have reflect my own views and 
are not necessarily the views of the Commission or any other Commissioner. 

2 15 U.S.C. § 45(a). 

3 The Commission also has responsibility under 45 additional statutes governing specific in- 
dustries and practices. These include, for example, the Truth in Lending Act, 15 U.S.C. §§ 1601 

Continued 
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B. Privacy Concerns in the Online Marketplace 

Since its inception in the mid-1990’s, the online consumer marketplace has grown 
at an exponential rate. Recent figures suggest that as many as 90 million Americans 
now use the Internet on a regular basis. 4 Of these, 69%, or over 60 million people, 
shopped online in the third quarter of 1999. 5 In addition, the Census Bureau esti- 
mates that retail e-commerce reached $5.3 billion for the fourth quarter of 1999. 6 

At the same time, technology has enhanced the capacity of online companies to 
collect, store, transfer, and analyze vast amounts of data from and about the con- 
sumers who visit their Web sites. This increase in the collection and use of data, 
along with the myriad subsequent uses of this information that interactive tech- 
nology makes possible, has raised public awareness and consumer concerns about 
online privacy. Recent survey data demonstrate that 92% of consumers are con- 
cerned (67% are “very concerned”) about the misuse of their personal information 
online. 7 The level of consumer unease is also indicated by a recent study in which 
92% of respondents from online households stated that they do not trust online com- 
panies to keep their personal information confidential. 8 To ensure consumer con- 
fidence in this new marketplace and its continued growth, consumer concerns about 
privacy must be addressed. 9 


et seq., which mandates disclosures of credit terms, and the Fair Credit Billing Act, 15 U.S.C. 
§§ 1666 et seq., which provides for the correction of billing errors on credit accounts. The Com- 
mission also enforces over 30 rules governing specific industries and practices, e.g., the Used 
Car Rule, 16 C.F.R. Part 455, which requires used car dealers to disclose warranty terms via 
a window sticker; the Franchise Rule, 16 C.F.R. Part 436, which requires the provision of infor- 
mation to prospective franchisees; the Telemarketing Sales Rule, 16 C.F.R. Part 310, which de- 
fines and prohibits deceptive telemarketing practices and other abusive telemarketing practices; 
and the Children’s Online Privacy Protection Rule, 16 C.F.R. Part 312. 

In addition, on May 12, 2000, the Commission issued a final rule implementing the privacy 
provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§6801 et seq. The rule requires a wide 
range of financial institutions to provide notice to their customers about their privacy policies 
and practices. The rule also describes the conditions under which those financial institutions 
may disclose personal financial information about consumers to nonaffiliated third parties, and 
provides a method by which consumers can prevent financial institutions from sharing their per- 
sonal financial information with nonaffiliated third parties by opting out of that disclosure, sub- 
ject to certain exceptions. The rule is available on the Commission’s Web site at chttp:// 
www.ftc.gov/os/2000/05/index.htm#12>. See Privacy of Consumer Financial Information, to be 
codified at 16 C.F.R. pt. 313. 

The Commission does not, however, have criminal law enforcement authority. Further, under 
the FTCA, certain entities, such as banks, savings and loan associations, and common carriers, 
as well as the business of insurance, are wholly or partially exempt from Commission jurisdic- 
tion. See Section 5(a)(2) and (6)a of the FTC Act, 15 U.S.C. § 45(a)(2) and 46(a). See also The 
McCarran-Ferguson Act, 15 U.S.C. § 1012(b). 

4 The Intelliquest Technology Panel, Panel News, available at <http://www.techpanel.com/ 

news/index. asp> [hereinafter “Technology Panel”] (90 million adult online users as of third-quar- 
ter 1999). Other sources place the number in the 70-75 million user range. See Cyber Dialogue, 
Internet Users, available at <http://www.cyberdialogue.com/resource/data/ic/index.html> (69 mil- 
lion users); Cyberstats, Internet Access and Usage, Percent of Adults 18+, available at <http:/ 
/www. mediamark.com/cfdocs/MRI/cs f99a.cfm> (75 million users). 

5 Technology Panel. This represents an increase of over 15 million online shoppers in one year. 
See id. 

6 United States Department of Commerce News, Retail E-commerce Sales for the Fourth Quar- 
ter 1999 Reach $5.3 Billion, Census Bureau Reports (Mar. 2, 2000), available at <http:// 
www.census.gov/mrts/www/current.html>. 

7 Alan F. Westin, Personalized Marketing and Privacy on the Net: What Consumers Want, Pri- 
vacy and American Business at 11 (Nov. 1999) [hereinafter “Westin/PAB 1999”]. See also IBM 
Multi-National Consumer Privacy Survey at 72 (Oct. 1999), prepared by Louis Harris & Associ- 
ates Inc. [hereinafter “IBM Privacy Survey”] (72% of Internet users very concerned and 20% 
somewhat concerned about threats to personal privacy when using the Internet); Forrester Re- 
search, Inc., Online Consumers Fearful of Privacy Violations (Oct. 1999), available at <http:// 
www.forrester.com/ER/Press/Release/0, 1769, 177, FF.html> (two-thirds of American and Canadian 
online shoppers feel insecure about exchanging personal information over the Internet). 

8 Survey Shows Few Trust Promises on Online Privacy, Apr. 17, 2000, available at <http:// 
www.nyt.com> (citing recent Odyssey survey). 

9 The Commission, of course, recognizes that other consumer concerns also may hinder the de- 
velopment of e-commerce. As a result, the agency has pursued other initiatives such as com- 
bating online fraud through law enforcement efforts. See FTC Staff Report: The FTC’s First Five 
Years Protecting Consumers Online (Dec. 1999). The Commission, with the Department of Com- 
merce, is also holding a public workshop and soliciting comment on the potential issues associ- 
ated with the use of alternative dispute resolution for online consumer transactions. See Initial 
Notice Requesting Public Comment and Announcing Public Workshop, 65 Fed. Reg. 7,831 (Feb. 
16, 2000); Notice Announcing Dates and Location of Workshop and Extending Deadline for Pub- 
lic Comments, 65 Fed. Reg. 18,032 (Apr. 6, 2000). The workshop will be held on June 6 and 
7, 2000. Information about the workshop, including the federal register notices and public com- 
ments received, is available at <http://www.ftc.gov/bcp/altdisresolution/index.htm>. 
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C. The Commission's Approach to Online Privacy — Initiatives Since 1995 

Since 1995, the Commission has been at the forefront of the public debate con- 
cerning online privacy. 10 The Commission has held public workshops; examined 
Web site information practices and disclosures regarding the collection, use, and 
transfer of personal information; and commented on self-regulatory efforts and tech- 
nological developments intended to enhance consumer privacy. The Commission’s 
goals have been to understand this new marketplace and its information practices, 
and to assess the costs and benefits to businesses and consumers. 11 

In June 1998 the Commission issued Privacy Online: A Report to Congress (“1998 
Report”), an examination of the information practices of commercial sites on the 
World Wide Web and of industry’s efforts to implement self-regulatory programs to 
protect consumers’ online privacy. 12 The Commission described the widely-accepted 
fair information practice principles of Notice, Choice, Access and Security. The Com- 
mission also identified Enforcement — the use of a reliable mechanism to provide 
sanctions for noncompliance — as a critical component of any governmental or self- 
regulatory program to protect privacy online. 13 In addition, the 1998 Report pre- 
sented the results of the Commission’s first online privacy survey of commercial 
Web sites. While almost all Web sites (92% of the comprehensive random sample) 


10 The Commission’s review of privacy has mainly focused on online issues because the Com- 
mission believes privacy is a critical component in the development of electronic commerce. How- 
ever, the FTC Act and most other statutes enforced by the Commission apply equally in the 
offline and online worlds. As described infra, n.ll, the agency has examined privacy issues af- 
fecting both arenas, such as those implicated by the Individual Reference Services Group, and 
in the areas of financial and medical privacy. It also has pursued law enforcement, where appro- 
priate, to address offline privacy concerns. See FTC v. Rapp, No. 99-WM-783 (D. Colo, filed Apr. 
21, 1999); In re Trans Union, Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 
(D.C. Cir. Apr. 4, 2000). These activities — as well as recent concerns about the merging of online 
and offline databases, the blurring of distinctions between online and offline merchants, and the 
fact that a vast amount of personal identifying information is collected and used offline — make 
clear that significant attention to offline privacy issues is warranted. 

11 The Commission held its first public workshop on privacy in April 1995. In a series of hear- 
ings held in October and November 1995, the Commission examined the implications of 
globalization and technological innovation for competition and consumer protection issues, in- 
cluding privacy concerns. At a public workshop held in June 1996, the Commission examined 
Web site practices regarding the collection, use, and transfer of consumers’ personal information; 
self-regulatory efforts and technological developments to enhance consumer privacy; consumer 
and business education efforts; the role of government in protecting online information privacy; 
and special issues raised by the online collection and use of information from and about chil- 
dren. The Commission held a second workshop in June 1997 to explore issues raised by indi- 
vidual reference services, as well as issues relating to unsolicited commercial e-mail, online pri- 
vacy generally, and children’s online privacy. 

The Commission and its staff have also issued reports describing various privacy concerns in 
the electronic marketplace. See, e.g., FTC Staff Report: The FTC’s First Five Years Protecting 
Consumers Online (Dec. 1999); Individual Reference Services: A Federal Trade Commission Re- 
port to Congress (Dec. 1997); FTC Staff Report: Public Workshop on Consumer Privacy on the 
Global Information Infrastructure (Dec. 1996); FTC Staff Report: Anticipating the 21st Century: 
Consumer Protection Policy in the New High-Tech, Global Marketplace (May 1996). Recently, at 
the request of the Department of Health and Human Services (“HHS”), the Commission sub- 
mitted comments on HHS’ proposed Standards for Privacy of Individually Identifiable Health 
Information (required by the Health Insurance Portability and Accountability Act of 1996). The 
Commission strongly supported HHS’ proposed “individual authorization” or “opt-in” approach 
to health providers’ ancillary use of personally identifiable health information for purposes other 
than those for which the information was collected. The Commission also offered HHS sugges- 
tions it may wish to consider to improve disclosure requirements in two proposed forms that 
would be required by the regulations. The Commission’s comments are available at chttp:// 
www.ftc.gov/be/v000001.htm>. 

The Commission also has brought law enforcement actions to protect privacy online pursuant 
to its general mandate to fight unfair and deceptive practices. See FTC v. ReverseAuction.com, 
Inc., No. 00-0032 (D.D.C. Jan. 6, 2000) (consent decree) (settling charges that an online auction 
site obtained consumers’ personal identifying information from a competitor site and then sent 
deceptive, unsolicited e-mail messages to those consumers seeking their business); Liberty Fi- 
nancial Companies, Inc., FTC Dkt. No. C-3891 (Aug. 12, 1999) (consent order) (challenging the 
allegedly false representations by the operator of a “Young Investors” Web site that information 
collected from children in an online survey would be maintained anonymously); GeoCities, FTC 
Dkt. No. C-3849 (Feb. 12, 1999) (consent order) (settling charges that Web site misrepresented 
the purposes for which it was collecting personal identifying information from children and 
adults). 

12 The Report is available on the Commission’s Web site at <http://www.ftc.gov/reports/ 
privacy 3/index. htm> . 

13 1998 Report at 11-14. 
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were collecting great amounts of personal information from consumers, few (14%) 
disclosed anything at all about their information practices. 14 

Based on survey data showing that the vast majority of sites directed at children 
also collected personal information, the Commission recommended that Congress 
enact legislation setting forth standards for the online collection of personal infor- 
mation from children. 15 The Commission deferred its recommendations with respect 
to the collection of personal information from online consumers generally. In subse- 
quent Congressional testimony, the Commission discussed promising self-regulatory 
efforts suggesting that industry should be given more time to address online privacy 
issues. The Commission urged the online industry to expand these efforts by adopt- 
ing effective, widespread self-regulation based upon the long-standing fair informa- 
tion practice principles of Notice, Choice, Access, and Security, and by putting en- 
forcement mechanisms in place to assure adherence to these principles. 16 

Last year, Georgetown University Professor Mary Culnan conducted a survey of 
a random sample drawn from the most-heavily trafficked sites on the World Wide 
Web as well as a survey of the busiest 100 sites. 17 The former, known as the 
Georgetown Internet Privacy Policy Survey, found significant improvement in the 
frequency of privacy disclosures, but also that only 10% of the sites posted disclo- 
sures that even touched on all four fair information practice principles. 18 Based in 
part on these results, a majority of the Commission recommended in its 1999 report 
to Congress, Self-Regulation and Privacy Online, that self-regulation be given more 
time, but called for further industry efforts to implement the fair information prac- 
tice principles. 19 

This week the Commission issued its third report to Congress examining the state 
of online privacy and the efficacy of industry self-regulation. Privacy Online: Fair 
Information Practices in the Electronic Marketplace (“2000 Report”)* presents the 
results of the Commission’s 2000 Online Privacy Survey, which reviewed the nature 
and substance of U.S. commercial Web sites’ privacy disclosures, and assesses the 
effectiveness of self-regulation. The 2000 Report also considers the recommendations 
of the Commission-appointed Advisory Committee on Online Access and Security. 20 
Finally, the Report sets forth the Commission’s conclusion that legislation is nec- 
essary to ensure further implementation of fair information practices online and rec- 
ommends the framework for such legislation. 21 


14 Id. at 23, 27. 

15 Id. at 42—43. In October 1998, Congress enacted the Children’s Online Privacy Protection 
Act of 1998 (“COPPA”), which authorized the Commission to issue regulations implementing the 
Act’s privacy protections for children under the age of 13. 15 U.S.C. §§6501 et seq. In October 
1999, as required by COPPA, the Commission issued its Children’s Online Privacy Protection 
Rule, which became effective last month. 16 C.F.R. Part 312. 

16 See Prepared Statement of the Federal Trade Commission on “Consumer Privacy on the 
World Wide Web” before the Subcommittee on Telecommunications, Trade and Consumer Pro- 
tection of the House Committee on Commerce, U.S. House of Representatives (July 21, 1998), 
available at <http://www.ftc.gov/os/1998/9807/privac98.htm>. 

17 The results for the random sample of 361 Web sites are reported in Georgetown Internet 
Privacy Policy Survey: Report to the Federal Trade Commission (June 1999), available at <http:/ 
/www. msb.edu/faculty/culnanm/gippshome.html> [hereinafter “GIPPS Report”]. The results of 
Professor Culnan’s study of the top 100 Web sites, conducted for the Online Privacy Alliance, 
are reported in Online Privacy Alliance, Privacy and the Top 100 Sites: Report to the Federal 
Trade Commission (June 1999), available at <http://www.msb.edu/faculty/culnanm/ 
gippshome.html> [hereinafter “OPA Report”]. 

18 See GIPPS Report, Appendix A, Table 8C. 

19 Self-Regulation and Privacy Online (July 1999) at 12-14 (available at <http://www.ftc.gov/ 
os/1999/9907/index.htm#13>). 

* The information referred to has been retained in Committee files. 

20 On December 1999, the Commission established the Federal Trade Commission Advisory 
Committee on Online Access and Security, pursuant to the Federal Advisory Committee Act, 5 
U.S.C. App. §§ 1-15. Notice of Establishment of the Federal Trade Commission Advisory Com- 
mittee on Online Access and Security and Request for Nominations, 64 Fed. Reg. 71,457 (1999). 

The Commission asked the Advisory Committee, a group comprising 40 e-commerce experts, 
industry representatives, security specialists, and consumer and privacy advocates, to consider 
the parameters of “reasonable access” to personal information collected from and about con- 
sumers online and “adequate security” for such information, and to prepare a report presenting 
options for implementation of these fair information practices and the costs and benefits of each 
option. The duties of the Advisory Committee were solely advisory. The Advisory Committee Re- 
port and proceedings are available at <http://www.ftc.gov/acoas>. 

21 The Commission vote to issue the 2000 Report was 3-2, with Commissioner Swindle dis- 
senting and Commissioner Leary concurring in part and dissenting in part. Both Commis- 
sioners’ separate statements are attached to the Report. Copies of the 2000 Report and of the 
report of the Advisory Committee on Online Access and Security are attached. * The Reports 
are also available at <http://www.ftc.gov/reports/privacy2000/privacy2000.pdf> and <http:// 
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II. Fair Information Practices in the Electronic Marketplace: The Results 

of the 2000 Survey 

In February and March 2000, the Commission conducted a survey of commercial 
sites’ information practices, using a list of the busiest U.S. commercial sites on the 
World Wide Web. 22 Two groups of sites were studied: (a) a random sample of 335 
Web sites (the “Random Sample”) and (b) 91 of the 100 busiest sites (the “Most Pop- 
ular Group”). 23 As was true in 1998, the 2000 Survey results show that Web sites 
collect a vast amount of personal information from and about consumers. Almost all 
sites (97% in the Random Sample, and 99% in the Most Popular Group) collect an 
e-mail address or some other type of personal identifying information. 24 

The 2000 Survey results also show that there has been continued improvement 
in the percent of Web sites that post at least one privacy disclosure (88% in the 
Random Sample and 100% in the Most Popular Group). 25 The Commission’s 2000 
Survey went beyond the mere counting of disclosures, however, and analyzed the 
nature and substance of these privacy disclosures in light of the fair information 
practice principles of Notice, Choice, Access, and Security. It found that only 20% 
of Web sites in the Random Sample that collect personal identifying information im- 
plement, at least in part, all four fair information practice principles (42% in the 
Most Popular Group). 26 While these numbers are higher than similar figures ob- 
tained in Professor Culnan’s studies, the percentage of Web sites that state they are 
providing protection in the core areas remains low. Further, recognizing the com- 
plexity of implementing Access and Security as discussed in the Advisory Committee 
report, the Commission also examined the data to determine whether Web sites are 
implementing Notice and Choice only. The data showed that only 41% of sites in 
the Random Sample and 60% of sites in the Most Popular Group meet the basic 
Notice and Choice standards. 27 

The 2000 Survey also examined the extent to which industry’s primary self-regu- 
latory enforcement initiatives — online privacy seal programs — have been adopted. 
These programs, which require companies to implement certain fair information 
practices and monitor their compliance, promise an efficient way to implement pri- 
vacy protection. However, the 2000 Survey revealed that although the number of 
sites enrolled in these programs has increased over the past year, 28 the seal pro- 
grams have yet to establish a significant presence on the Web. The Survey found 
that less than one-tenth, or approximately 8%, of sites in the Random Sample dis- 
play a privacy seal. Moreover, less than one-half, or 45%, of the sites in the Most 
Popular Group display a seal. 29 

III. Commission Recommendations 

Based on the past years of work addressing Internet privacy issues, including ex- 
amination of prior surveys and workshops with consumers and industry, it is evi- 
dent that online privacy continues to present an enormous public policy challenge. 30 
The Commission applauds the significant efforts of the private sector and commends 
industry leaders in developing self-regulatory initiatives. The 2000 Survey, however, 
demonstrates that industry efforts alone have not been sufficient. Because self-regu- 
latory initiatives to date fall far short of broad-based implementation of effective 
self-regulatory programs, a majority of the Commission has concluded that such ef- 
forts alone cannot ensure that the online marketplace as a whole will emulate the 
standards adopted by industry leaders. While there will continue to be a major role 
for industry self-regulation in the future, a majority of the Commission recommends 
that Congress enact legislation that, in conjunction with continuing self-regulatory 
programs, will ensure adequate protection of consumer privacy online. 


www.ftc.gov/acoas/papers/fmalreport.htm>, respectively. *The information referred to has been 
retained in Committee files. 

22 The list of Web sites was provided by Nielsen/ZNetRatings based upon January 2000 traffic 
figures. 2000 Report, Appendix A. 

23 2 000 Report at 7, 9 and Appendix A. 

24 2 000 Report at 9. 

25 Id. at 10. 

26 Id. at 12-13. 

27 Id. at 13-14. 

28 Id. at 6-7. 

29 Id. at 20. 

30 As noted earlier, supra n.10, and as illustrated by legislative decisions made in the areas 
of medical and financial privacy, offline privacy issues are also significant. 
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The proposed legislation would set forth a basic level of privacy protection for con- 
sumer-oriented commercial Web sites. 31 Such legislation would establish basic 
standards of practice for the collection of information online, and provide an imple- 
menting agency with the authority to promulgate more detailed standards pursuant 
to the Administrative Procedure Act. 32 

Consumer-oriented commercial Web sites that collect personal identifying infor- 
mation from or about consumers online would be required to comply with the four 
widely-accepted fair information practices: 

(1) Notice — Web sites would be required to provide consumers clear and con- 
spicuous notice of their information practices, including what information they 
collect, how they collect it (e.g., directly or through non-obvious means such as 
cookies), how they use it, how they provide Choice, Access, and Security to con- 
sumers, whether they disclose the information collected to other entities, and 
whether other entities are collecting information through the site. 33 

(2) Choice — Web sites would be required to offer consumers choices as to how 
their personal identifying information is used beyond the use for which the in- 
formation was provided (e.g., to consummate a transaction). Such choice would 
encompass both internal secondary uses (such as marketing back to consumers) 
and external secondary uses (such as disclosing data to other entities). 

(3) Access — Web sites would be required to offer consumers reasonable access 
to the information a Web site has collected about them, including a reasonable 
opportunity to review information and to correct inaccuracies or delete informa- 
tion. 

(4) Security — Web sites would be required to take reasonable steps to protect 
the security of the information they collect from consumers. 

The Commission recognizes that the implementation of these practices may vary 
with the nature of the information collected and the uses to which it is put, as well 
as with technological developments. For this reason, a majority of the Commission 
recommends that any legislation be phrased in general terms and be technologically 
neutral. Thus, the definitions of fair information practices set forth in the statute 
should be broad enough to provide flexibility to the implementing agency in promul- 
gating its rules or regulations. 

Finally, the Commission notes that industry self-regulatory programs would con- 
tinue to play an essential role under such a statutory structure, as they have in 
other contexts. 34 The Commission hopes and expects that industry and consumers 
would participate actively in developing regulations under the new legislation and 
that industry would continue its self-regulatory initiatives. The Commission also 
recognizes that effective and widely-adopted seal programs could be an important 
component of that effort. 

For all of these reasons, a majority of the Commission believes that its proposed 
legislation, in conjunction with self-regulation, will ensure important protections for 
consumer privacy at a critical time in the development of the online marketplace. 
Without such protections, electronic commerce will not reach its full potential and 
consumers will not gain the confidence they need in order to participate fully in the 
online marketplace. 


31 Legislation should cover such sites to the extent not already covered by the Children’s On- 
line Privacy Protection Act, 15 U.S.C. §§6501 et seq. 

32 5 U.S.C. §553. 

33 The Commission will soon be addressing the issue of third-party online collection of per- 
sonal information for profiling purposes in a separate report to Congress. 

34 For example, the program administered by the National Advertising Division of the Council 
of Better Business Bureaus, Inc. (“NAD”) is a model self-regulatory program that complements 
the Commission’s authority to regulate unfair and deceptive advertising. The NAD expeditiously 
investigates complaints made by consumers or competitors about the truthfulness of advertising. 
An advertiser that disagrees with the NAD’s conclusion may appeal to the National Advertising 
Review Board (“NARB”), which includes members from inside and outside the advertising indus- 
try. The vast majority of disputes handled by the NAD and NARB are resolved without govern- 
ment intervention, resulting in greater respect for and enforcement of the law at a substantial 
savings to the taxpayer. Those disputes that the NAD and NARB are unable to resolve are re- 
ferred to the Commission. 

The Commission also has a long record of working with industry to develop and disseminate 
informational materials for the public. See, e.g., Notice of Opportunity to Participate and Obtain 
Co-Sponsorship in Agency Public Awareness Campaign re: Children’s Online Privacy Protection 
Rule, available at <http//:www.ftc.gov/os/2000/05/index.htm#12>. 
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IV. Conclusion 

The Commission is committed to the goal of assuring fair information practices 
for consumers online, and looks forward to working with the Committee as it con- 
siders the Commission’s Report and proposals for protecting online privacy. 

The Chairman. I thank you, Chairman Pitofsky. 

I would tell the other Commissioners, your complete statement 
will be made part of the record and if you could summarize we 
would very much appreciate it. But at the same time, we do not 
want to prevent the Committee from receiving all the information 
you wish to convey. 

Commissioner Anthony. 

STATEMENT OF HON. SHEILA F. ANTHONY, COMMISSIONER, 
FEDERAL TRADE COMMISSION 

Ms. Anthony. Thank you, Mr. Chairman. I am delighted to be 
here today and I am pleased that the Commission is recommending 
Federal legislation 

Senator Stevens. Would you pull that mike up to you, please. 

Ms. Anthony. Sure. 

I am pleased that the Commission is recommending legislation 
necessary to protect consumer privacy. I wish to emphasize four 
points related to our legislative recommendation: 

One, any quality privacy policy should offer true protections to 
consumers and be presented in a simple format that is clear and 
understandable ; 

Two, an enforcement mechanism must be in place that gives con- 
sumers confidence that Web sites do what they say they do with 
consumers’ personal data; 

Three, a patchwork of State privacy laws will result in confusion 
both to consumers and businesses, and thus Federal preemption 
should at least be seriously considered; 

Four, implementation of consumer consent via opt-in and opt-out 
may require making a distinction between market information and 
sensitive health and financial information. 

The 2000 survey reports that 97 percent of the random sample 
and 99 percent of the most popular group collect personally identi- 
fying information, but only 20 percent of the random sample and 
just 42 percent of the most popular group address, at least in part, 
all four information practices. 

Seal programs and audits can be key enforcement mechanisms. 
Yet only 8 percent in the random sample and 45 percent of the 
most popular group display a seal. 

Perhaps more troubling to me is that many privacy policies are 
confusing, contradictory, and ambiguous. I reviewed some of the 
privacy policies in the most popular group of Web sites in our sur- 
vey. Frankly, I was disappointed. Almost half of the policies are too 
long, varying from 3 to 12 pages. Many try to lull a consumer into 
a false sense of comfort. Despite opening statements asserting the 
importance of the user’s privacy, subsequent paragraphs frequently 
contain contradictory information. 

Consider the following language in an Internet service provider’s 
published privacy policy. The first sentence states: “Your privacy is 
important to us,” but continues several paragraphs later: “The per- 
sonal information we collect from members during the registration 
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process is used to manage each member’s account. This information 
is not shared with third parties unless specifically stated otherwise 
or in special circumstances.” 

Three pages later, the same policy goes on to say: “We may dis- 
close personal information about our visitors or members or infor- 
mation regarding your use of the services or Web sites accessible 
through our services for any reason if, in our sole discretion, we be- 
lieve it is reasonable to do so.” 

Would you call this a clear, unambiguous disclosure? I do not. 
Does it inform consumers about whether his or her information will 
be shared and, if so, with whom? I do not believe it does. 

My next example illustrates serious concerns with regard to 
meaningful consent. I quote from a privacy policy statement from 
one of the top 100 sites: “When you submit personal information 
to us, you understand and agree that our subsidiaries, affiliates, 
and trusted vendors may transfer, store, and process your customer 
profile in any of the countries in which we and our affiliates main- 
tain offices.” 

Has the site identified with specificity the parties with whom it 
will share this consumer’s information? Is consent meaningful if 
consumers do not see this notice or have access to it at the time 
they supply their personal information? 

Even a policy that incorporates all four fair information practices 
can be ambiguous and contradictory. What do you make of this pri- 
vacy policy that contains the following disclaimer: “This statement 
and the policies outlined herein are not intended to and do not cre- 
ate any contractual or other legal rights in or on behalf of any 
party.” This disclaimer seems to absolve the site of any responsi- 
bility to protect a consumer’s information. It reminds me of a letter 
I once received from a lawyer which had the following postscript: 
“Dictated but not read.” 

I do not think it is difficult to design a standardized, conspicuous 
privacy notice that informs consumers in an unambiguous, non-con- 
tradictory way. The chart, which is attached to my testimony and 
is what you see here, tells the viewer most of what she needs to 
know about a Web site’s privacy practices and consumer choices. 
Web sites can take advantage of the interactive nature of the Inter- 
net to design effective mechanisms and to provide meaningful no- 
tice or privacy policies. 

I share Commissioner Leary’s view that a comprehensive privacy 
policy for consumers must extend to the offline world. The business 
incentive to compete simultaneously in both the offline and online 
worlds is high. To create a distinction between offline and online 
is artificial and outdated and in the long run may foster market 
barriers. 

Finally, I want to commend the FTC staff for the hard work they 
have done on this report. The Bureau of Consumer Protection, with 
the assistance of the Bureau of Economics, designed and imple- 
mented this survey, and the numbers were reported clearly, fairly, 
and without bias. 

Thank you for allowing me to share my views. 

[The prepared statement of Commissioner Anthony follows:] 
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Prepared Statement of Hon. Sheila F. Anthony, Commissioner, 
Federal Trade Commission 

Mr. Chairman and members of the Committee, I am delighted to be here this 
morning, and I appreciate your holding this hearing to address a topic of great im- 
portance to the American people and critical to the growth and success of electronic 
commerce. 

I am pleased the Commission is recommending that federal legislation is nec- 
essary to protect consumer privacy. Survey after survey demonstrates that public 
concerns about privacy have been growing and that these concerns have focused on 
the power of technologies to collect, store, search, and transmit large amounts of 
personally identifiable information. I not only share those concerns, I note that 
threats to consumer privacy are increasing with the merging of the offline and on- 
line worlds. In short, things may be getting worse for Americans on the privacy 
front. 

I wish to emphasize four points related to the legislative recommendation the 
Commission makes to you today: 

1) Any quality privacy policy should offer true protections to consumers and be 
presented in a simple format that is clear and understandable. 

2) An enforcement mechanism must be in place that gives consumers confidence 
that Web sites do what they say they will do with consumers’ personal data. 
While the seal of approval programs offer promise, 92 percent of the surveyed 
sites did not have a privacy seal from one of the industry-established programs. 
There may be some advantage to building on industry standards that utilize au- 
dits. 

3) A patchwork of state privacy laws will result in confusion to both consumers 
and businesses, and thus federal pre-emption should be, at least, seriously con- 
sidered. People value uniformity and predictability. 

4) Implementation of consumer consent, via opt-in and opt-out methods, may re- 
quire making a distinction between market information and sensitive health 
and financial information. 

A. Fair Information Principles Are Widely Accepted 

In the Commission’s first Privacy Report in 1998, we summarized four widely ac- 
cepted principles regarding the collection, use, and dissemination of personal infor- 
mation. These core principles of privacy protection are common to government re- 
ports, guidelines, and model codes, and predate the online medium: 

• Notice — data collectors must disclose their information practices before col- 
lecting personal information from consumers. 

• Choice — consumers must be given options with respect to whether and how per- 
sonal information collected from them may be used for purposes beyond those 
for which the information was provided. 

• Access — consumers should be able to view and contest the accuracy and com- 
pleteness of data collected about them. 

• Security — data collectors must take reasonable steps to assure that information 
collected from consumers is accurate and secure from unauthorized use. 

B. The Vast Majority of Web sites Collect Personal Data But Do Not Provide 

Privacy Protections 

The percentage of commercial Web sites that collect personally identifying infor- 
mation is very high. The 2000 Survey reports that 97 percent of the Random Sam- 
ple and 99 percent of the Most Popular Group collect personally identifying informa- 
tion, but the percentage providing aspects of these fair information practices is still 
quite low. The 2000 Survey reports that only 20 percent of the Random Sample and 
just 42 percent of the Most Popular Group address, at least in part, all four fair 
information practices. In fact, these results likely overstate the percentage of sites 
that truly implement the fair information practices in a meaningful way. Our con- 
tent analysts credited policies if the stated practices applied to any of the informa- 
tion collected, even if it did not apply to all the information collected. 1 


1 The 2000 Survey analysis gave Access credit for informational statements about any one of 
three elements (review, correction or deletion). However, the Commission previously stated that 
fair information practices require that consumers be afforded both an opportunity to review in- 

Continued 
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C. Policies Posted By Web sites Are Confusing and Contradictory 

Perhaps more troubling to me is that many privacy policies are confusing, con- 
tradictory, and ambiguous. What good is a privacy policy that is not understandable 
by ordinary consumers, is contradictory from paragraph to paragraph, or fails to 
offer basic protections? 

I reviewed some of the privacy policies of the Most Popular Group of Web sites 
in the survey. Frankly, I was disappointed. Almost half of the privacy polices are 
too long, varying from 3-12 pages. Many try to lull the consumer into a false sense 
of comfort by utilizing opening statements regarding the importance of respecting 
individual privacy or by referring to third parties as “trusted vendors” or those with 
whom there is an “established agreement to protect your privacy.” Despite the open- 
ing statements asserting the importance of the user’s privacy, subsequent para- 
graphs frequently contain contradictory information. After reviewing some of these 
policy statements, I am left to wonder whether: 

• these policies truly inform consumers 

• the Web sites have something to hide 

• the Web sites themselves are confused about their own policies 

• the drafting lawyers have run amok. 

Consider the following language in an Internet Service Provider’s published Pri- 
vacy Policy. 

The first sentence states: 

Your privacy is very important to us. 

But, continues several paragraphs later: 

The personal information we collect from members during the registration proc- 
ess is used to manage each member’s account. This information is not shared 
with third parties unless specifically stated otherwise or in special cir- 
cumstances. 

Three pages later, the same policy goes on to say: 

[We] may disclose personal information about our visitors or members or infor- 
mation regarding your use of the Services or Web sites accessible through our 
Services, for any reason if, in our sole discretion, we believe that it is reasonable 
to do so, . . . 

Would you call this a clear, unambiguous disclosure? I do not. Does it inform the 
consumer about whether his or her information will be shared and, if so, with 
whom? I do not believe it does. 

My next example illustrates serious concerns with regard to meaningful consent. 
I quote from a privacy policy statement from one of the top 100 sites: 

When you submit personal information to [us] you understand and agree that 
our subsidiaries, affiliates and trusted vendors may transfer, store, and process 
your customer profile in any of the countries in which we and our affiliates 
maintain offices. 

Has the site identified with specificity the parties with whom it will share cus- 
tomer information? Is consent meaningful if consumers do not see this notice or 
have access to it at the time they surrender their personal information? 

Even a policy statement that incorporates all of the four fair information practices 
may still be ambiguous and contradictory. What do you make of a privacy policy 
that contains the following disclaimer: 

These policies are effective as of [x date]. [This site] reserves the right to change 
the policy at any time by notifying users of the existence of a new privacy state- 
ment. This statement and the policies outlined herein are not intended to and 
do not create any contractual or other legal rights in or on behalf of any party. 

I wonder through what means consumers will be notified of changes in the policy 
statement. How will data collected pursuant to one policy be treated under a new 
policy? Must consumers “check back” from time to time? The disclaimer, quoted 


formation and an opportunity to contest the data’s accuracy or completeness. Under this stand- 
ard, only 11% of the random and 27% of the Most Popular Group would receive credit for pro- 
viding Access rather than the 18% of the random and 47% of the Most Popular Group calculated 
using an expansive measure. 
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above, seems to absolve the site of any responsibility to protect a consumer’s infor- 
mation. It reminds me of a letter I once received from a lawyer, which had the fol- 
lowing post script: “Dictated, but not read.” 

D. An Increase in Posted Privacy “Policies” Does Not Correlate with In- 

creased Privacy Protections 

Although the survey demonstrates some increase in the percentage of sites post- 
ing privacy policies, these policies all too often do not offer privacy protections. 
While Web sites should be offering privacy protections, a whopping 80 percent of 
the surveyed Web sites in the Random Sample failed to implement aspects of notice, 
choice, access, and security. 

E. No Enforcement Tools Exists to Ensure Sites Do What They Say 

For years the Commission has urged industry to engage in meaningful self-regu- 
latory efforts. For self-regulation to be credible, there must be an enforcement mech- 
anism that gives consumers confidence that Web sites do what they say they do 
with consumers’ personal data. Seal programs and audits can be key enforcement 
mechanisms. Yet, 92 percent of the surveyed Web sites in the Random Group did 
not have a privacy seal. Our legislative recommendation would reward those sites 
that have offered meaningful privacy protections and would require all others to 
meet basic privacy standards. It would also give consumers the assurance that a 
legal structure is in place to provide confidence that stated privacy polices will be 
honored. 

F. A Standardized Privacy Notice May be Useful: See Chart 

How difficult is it to design a conspicuous privacy notice that informs consumers 
in a standardized, unambiguous, non-contradictory way? Not very difficult. Ap- 
pended to this testimony is a simple chart that tells the viewer most of what she 
needs to know about a Web site’s privacy practices and consumer choices. Web sites 
can take advantage of the interactive nature of the Internet to design effective 
mechanisms to provide meaningful notice or privacy policies. 

G. Profiling is Invisible and Threatens Consumer Privacy 

Profiling is beyond the scope of this report, and I believe it will be the subject 
of a later Commission report. Profiling poses a serious privacy threat to consumers 
because it is largely invisible to them. I am concerned about the passive, surrep- 
titious collection of information about consumers and their browsing habits without 
their knowledge. Our report notes that third party cookies are placed by ad servers 
on 78 percent of the sites in the Most Popular Group. Of those sites, only 51 percent 
disclose to consumers that they have allowed third party cookies to be placed (and 
they usually locate that disclosure at the end of the policy statement). Unless con- 
sumers are technically skilled enough to set their browser to alert them to cookies 
or to decline all third party cookies, the placement of third party cookies generally 
goes unnoticed by consumers. 

H. Online, Offline: What’s the Difference? 

Finally, I share Commissioner Leary’s view that a comprehensive privacy policy 
for consumers must extend to the offline world. Traditional brick and mortar busi- 
nesses no longer store and maintain their customer records on index cards. The data 
businesses have collected offline are often transferred to computers and can be 
merged with online databases with a simple click of a button. The business incen- 
tive to compete simultaneously in both the online and offline worlds is high. To cre- 
ate a distinction between the offline and online worlds is artificial and outdated and 
in the long run may foster market barriers. 

Finally, I want to commend the FTC staff for the excellent job they have done 
on this Report. The Bureau of Consumer Protection, with the assistance of the Bu- 
reau of Economics, designed and implemented the survey that formed the basis of 
this report. The survey numbers were reported clearly, fairly, and without bias. My 
hat is off to them. 

I appreciate the opportunity to express my views. 
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Sample Privacy Policy 


We collect Personally Identifiable In- 
formation about you 

□ Yes 

□ No 

Click here to see 
what kinds of EJNo 
information we col- 
lect 

We use your personal information to 
notify you of our future promotions 

□ Yes 

□ No 

Click here to opt 
out/opt in 

We share information about you 
with Third Parties for marketing 
purposes. Click here to see who we 
share information with 

□ Yes 

□ No 

Click here to opt 
out/opt in 

You may review and correct or delete 
information about yourself (with 
proper authentication) 

□ Yes 

□ No 

Click here to access 
our database. Have 
your Membership # 
and Pin # ready. 

We provide reasonable security to 
protect your personal information 
during its transmission and while it 
is in our possession 

□ Yes 

□ No 



The Chairman. Thank you very much, Commissioner Anthony. 

Commissioner Swindle. 

STATEMENT OF HON. ORSON SWINDLE, COMMISSIONER, 
FEDERAL TRADE COMMISSION 

Mr. Swindle. Thank you, Mr. Chairman, Senator Hollings, and 
members of the Committee. 

The Chairman. You need the microphone. 

Mr. Swindle. I appreciate this opportunity to be with you today 
and share some thoughts. I will, at the chairman’s request, try to 
summarize my prepared statement, which we have all submitted. 

I have dissented against the Commission’s embarrassingly 
flawed privacy report and its conclusory, yet sweeping, legislative 
recommendation. In an unwarranted reversal of its earlier accept- 
ance of a self-regulatory approach, a majority of the Commission 
has recommended that Congress require all commercial consumer- 
oriented Web sites that collect personally identifying information 
from consumers to adopt government-prescribed versions of four 
fair information privacy practices, known as FIPPs. You have 
heard: notice, choice, access, and security. 

The majority has abandoned the self-regulatory approach in 
favor of an excessive government regulation despite continued 
progress in self-regulation. Why has a majority of the Commission 
decided to discontinue relying on self-regulation? The fundamental 
rationale given is that not enough Web sites are providing the type 
of privacy protections that the Commission has decided should be 
provided and this is hindering and will continue to hinder the 
growth of electronic commerce. 

Instead of focusing on consumers’ increasing ability to make 
choices concerning online privacy protection, the majority empha- 
sizes that the survey, the 2000 survey, reveals that only 20 percent 
of all commercial Web sites and 42 percent of the most popular 
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Web sites meet the full FIPPs requirement. But the main reason 
for this relatively low percentage is that commercial Web sites have 
not disclosed to consumers whether they provide access and secu- 
rity. This failure to disclose is not surprising given the access and 
security implementation difficulties recently identified by the Advi- 
sory Committee on Access and Security, a copy of which I believe 
is included in our report. 

In this regard, it is important to emphasize that the 2000 survey 
did not attempt to measure whether sites actually provide access 
and security. Rather, it gauged only whether disclosures address 
these issues. The 2000 survey certainly did not give any credit for 
no access, even though the majority indicates it might consider no 
access to be reasonable access in some instances. 

If these access and security disclosure requirements are elimi- 
nated, the percentages of all Web sites meeting the FIPPs require- 
ment rises significantly, to 41 percent of all commercial Web sites 
and 60 percent of the most popular. But even this 41 percent figure 
is understated because it uses a very strained definition of choice 
that is more accurately, in my mind, described as mandated choice. 

Specifically, there is no choice recognized by the survey unless 
the consumer is allowed to make two choices: whether or not his 
information can be used internally by the Web site or the business 
or, and the second requirement, whether the business is allowed to 
use that information with third parties. 

The report’s recommendation that choice be legislated does not 
mean the kind of choice that informed consumers exercise in a 
marketplace once they know the terms on which they are dealing 
with retailers. That is real choice. The effect of mandated choice 
may be, as Senator Kerry pointed out, to start to eliminate or re- 
duce choices for the consumers. 

Legislation, in my mind, should be reserved for problems that 
the market cannot fix on its own and should not be adopted with- 
out consideration of the problems legislation may create by, for ex- 
ample, imposing costs or other unintended consequences that could 
severely stifle a thriving new economy. 

The majority has recommended that Congress give rulemaking 
authority to an implementing agency, presumably the Commission, 
to define the proposed legislative requirements. In my judgment, 
however, the Commission owes it to the Congress and to the public 
to comment more specifically on what it has in mind before it rec- 
ommends legislation that requires all consumer-oriented commer- 
cial Web sites to comply with breathtakingly broad laws whose de- 
tails will be filled in later during the rulemaking process. 

The privacy report is devoid of any consideration of cost of legis- 
lation in comparison to the asserted benefits of enhancing con- 
sumer confidence and allowing electronic commerce to reach its full 
potential. 

For the sake of time, I will not cover my entire dissent nor the 
prepared statement that I have submitted today. But, I would like 
to make a couple of remarks in conclusion. The privacy report fails 
to pose and to answer basic questions that all regulators and law- 
makers should consider before embarking on extensive regulation 
that could throttle the new economy. Shockingly, there is abso- 
lutely no consideration of the costs and benefits of regulation, nor 
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of regulation’s predictable and unanticipated effects on competition 
and consumer choice, nor the experience we have to date with gov- 
ernment regulation of privacy, nor of the constitutional issues, nor 
of how this vague and vast mandate will be enforced. 

Industry self-regulation is working. Effective privacy protection 
is more than a numbers game, and the private sector is continuing 
to address consumer concerns about privacy because it is in indus- 
try’s best interest to do so. Let us not make the search for the per- 
fect the enemy of the good. The best way to build consumer trust 
and to ensure the continued growth of the Internet is through a 
combination of education, strong industry self-regulation, and 
strong FTC enforcement under existing legal authority. It is pre- 
mature and counterproductive for the Commission to radically 
change course and call for broad legislation. 

Thank you, sir. I would be happy to answer questions later. 

[The prepared statement of Commissioner Swindle follows:] 

Prepared Statement of Hon. Orson Swindle, Commissioner, 

Federal Trade Commission 

Mr. Chairman and Members of the Committee, I am Orson Swindle, a Commis- 
sioner of the Federal Trade Commission. I appreciate the chance to testify today on 
the issue of online privacy. 1 

I have dissented from the Commission’s embarrassingly flawed Privacy Report 
and its conclusory — yet sweeping — legislative recommendation. In an unwarranted 
reversal of its earlier acceptance of a self-regulatory approach, a majority of the 
Commission has recommended that Congress require all commercial consumer-ori- 
ented Web sites that collect personal identifying information from consumers to 
adopt government-prescribed versions of four fair information practice principles 
(“FIPPs”): Notice, Choice, Access, and Security. 2 The majority has abandoned a self- 
regulatory approach in favor of extensive government regulation, despite continued 
progress in self-regulation. 

Why has the majority of the Commission decided to discontinue relying on self- 
regulation? The fundamental rationale given is that not enough Web sites are pro- 
viding the type of privacy protections that the Commission has decided should be 
provided, and this is hindering and will continue to hinder the growth of e-com- 
merce. The available data do not support this rationale. The 2000 Survey shows 
that 88% of all commercial Web sites (100% of the most popular sites) displayed at 
least one privacy disclosure to consumers, up from a mere 14% of all sites (71% of 
the most popular sites) in 1998. (Privacy Report [“PR”] at 10, Appendix C, Table 
2a). Thus, online companies are by and large providing notice to consumers as to 
their privacy policies, and consumers can choose whether to deal with these compa- 
nies based on their privacy policies. For those who believe that allowing consumers 
to make their own choices is the fundamental objective, the results of the 2000 Sur- 
vey are very encouraging, although more work certainly needs to be done by indus- 
try. 

Instead of focusing on consumers’ increasing ability to make choices concerning 
online privacy protections, the majority emphasizes that the 2000 Survey reveals 
that only 20% of all commercial Web sites (42% of the most popular sites) meet the 
full FIPPS requirements. (PR Appendix C, Table 4). But the main reason for this 
relatively low percentage is that commercial Web sites have not disclosed to con- 
sumers whether they provide access and security. This failure to disclose is not sur- 
prising, given the access and security implementation difficulties recently identified 
hy the Advisory Committee on Access and Security. 3 


1 My oral testimony and any responses to questions you may have reflect my own views and 
are not necessarily the views of the Commission or any other Commissioner. 

2 While this is a reversal for the Commission, Commissioner Anthony has consistently pre- 
ferred a legislative approach. See Statement of Commissioner Sheila F. Anthony, Concurring in 
Part and Dissenting in Part, Self-Regulation and Privacy Online (July 1999), available at <http:/ 
/www.ftc.gov/os/1999/9907/index.htm#13>. 

3 In 1999, the Commission established an Advisory Committee on Online Access and Security 
to provide advice and recommendations to the Commission regarding implementation of reason- 
able access and adequate security by domestic commercial Web sites. That Committee provided 
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In this regard, it is important to emphasize that the 2000 Survey did not attempt 
to measure whether sites actually provide Access and Security; rather, it gauged 
only whether disclosures addressed these issues. And the 2000 Survey certainly did 
not give any credit for “No Access,” even though the majority indicates it might con- 
sider no access to be “reasonable Access” in some instances. 

If these access and security disclosure requirements are eliminated, the percent- 
age of all Web sites meeting the FIPPS requirements rises significantly to 41% of 
all commercial Web sites (60% of the most popular sites). But even this 41% figure 
is understated because it uses a strained definition of “choice” that is more accu- 
rately described as “Mandated Choice.” Specifically, the 2000 Survey gave credit for 
choice only when a Web site (1) gave the consumer a chance to agree to or to au- 
thorize communications back to the consumer from the Web site and (2) gave the 
consumer a chance to agree to or authorize disclosure of the consumer’s information 
to third parties. The Report’s recommendation that “choice” be legislated does not 
mean the kind of choice that informed consumers exercise in a marketplace once 
they know the terms on which they are dealing with retailers. That is real choice. 
Instead, the majority has recommended Mandated Choice that would require Web 
sites to continue to do business with consumers who do not agree to the uses the 
site tells them it will make of their personal information. For sites whose business 
depends on the use of information to provide consumers with discounts or to reduce 
the cost of services to consumers, the effect of Mandated Choice may be to mandate 
their exit from the marketplace or at least the reduction of the choices or products 
and services now available. Thus, in the name of Mandated Choice, consumers 
would have less choice. 

Not satisfied with the self-regulation’s very encouraging progress concerning pri- 
vacy policy notices and its solid progress with regard to Mandated Choice, the ma- 
jority recommends that the Congress impose a legislative solution. Legislation could 
limit consumer choices and provide a disincentive for the development of further 
technological solutions. Government regulation may actually give consumers fewer 
choices and, as technology changes, less privacy. Legislation should be reserved for 
problems that the market cannot fix on its own and should not be adopted without 
consideration of the problems legislation may create by, for example, imposing costs 
or other unintended consequences that could severely stifle the thriving New Econ- 
omy. 

The majority has recommended that Congress give rulemaking authority to an 
“implementing agency” (presumably the Commission) to define the proposed legisla- 
tive requirements. In my judgment, however, the Commission owes it to Congress — 
and to the public — to comment more specifically on what it has in mind before it 
recommends legislation that requires all consumer-oriented commercial Web sites to 
comply with breathtakingly broad laws whose details will be filled in later during 
the rulemaking process. 

The Privacy Report is devoid of any consideration of the costs of legislation in 
comparison to the asserted benefits of enhancing consumer confidence and allowing 
electronic commerce to reach its full potential. Instead, it relies on skewed descrip- 
tions of the results of the Commission’s 2000 Survey and studies showing consumer 
concern about privacy as the basis for a remarkably broad legislative recommenda- 
tion. It does not consider whether legislation will address consumer confidence prob- 
lems and why legislation is preferable to alternative approaches that rely on market 
forces, industry efforts, and enforcement of existing laws. 

For the sake of time, I will not cover my entire dissent, but I would like to draw 
your attention to additional points that it makes: 

• the Report does not adequately credit self-regulatory efforts and ignores devel- 
opments in technology; 

• the 2000 Survey provides a unique baseline for measuring the quality of privacy 
disclosures; 

• individual FIPPS are widespread; 

• measuring success on the basis of full FIPPs is irrational; 

• equating self-regulatory enforcement with the prevalence of seal programs is 
misleading; 

• the Report confirms the exponential growth in online commerce but misuses 
consumer confidence surveys and lost sales projections; 


the final version of its report to the Commission on May 15, 2000, describing options for imple- 
menting reasonable access to, and adequate security for, personal information collected online 
and the costs and benefits of each option. 
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• the meaning of surveys showing consumer unease is unclear; and 

• the Report ignores or glosses over Constitutional issues, enforcement difficul- 
ties, and questions relating to the protection of offline privacy. 

In conclusion, the Privacy Report fails to pose and to answer basic questions that 
all regulators and lawmakers should consider before embarking on extensive regula- 
tion that could throttle the New Economy. Shockingly, there is absolutely no consid- 
eration of the costs and benefits of regulation; nor of regulation’s predictable and 
unanticipated effects on competition and consumer choice ; 4 nor of the experience to 
date with government regulation of privacy; nor of Constitutional issues; nor of how 
this vague and vast mandate will be enforced. 

Industry self-regulation is working. Effective privacy protection is more than a 
numbers game, and the private sector is continuing to address consumer concerns 
about privacy because it is in industry’s interest to do so. Let us not make the 
search for the perfect the enemy of the good. The best way to build consumer trust 
and to ensure the continued growth of the Internet is through a combination of edu- 
cation, strong industry self-regulation, and strong FTC enforcement under existing 
legal authority. It is premature and counterproductive for the Commission to radi- 
cally change course and call for broad legislation. 

The Chairman. Thank you. 

Commissioner Thompson. 

STATEMENT OF HON. MOZELLE W. THOMPSON, 
COMMISSIONER, FEDERAL TRADE COMMISSION 

Mr. Thompson. Thank you, Mr. Chairman. Good morning to you 
and members of the Committee. I wanted to thank you for inviting 
me to appear before you again with my fellow Commissioners to 
address our most recent report on online privacy. 

In 1997 when we began to look at the issue of privacy on the 
Internet, consumer-based electronic commerce was largely viewed 
as a place for the most adventurous and technologically savvy. But 
at the same time, people with vision viewed the Internet as a place 
that could potentially transform the American consumer market- 
place by empowering consumers with access to vast quantities of 
information and new goods and services. 

Since then we have witnessed great progress in achieving that 
transformation. Yet we still have a long way to go until Americans 
fully embrace the Internet and accept its technology as integral 
parts of their daily lives. Today industry, government, and con- 
sumers alike share a common goal of making the Internet as mean- 
ingful and productive for those at the center of the market bell 
curve, namely the family in the suburbs of Canton, Ohio, as it is 
for the technologist in Silicon Valley. 

To achieve this goal, we must be led by the voice of users and 
allow the Internet to become consumer-driven. From the beginning 
of the Commission’s work, consumers have expressed a great con- 


4 1 note that the regulations promulgated to implement the Children’s Online Privacy Protec- 
tion Act (“COPPA”), 15 U.S.C. §6501 et seq., require detailed Notice; Access, including the abil- 
ity to review, correct, and delete information maintained by the site; and a form of opt-in man- 
dated Choice (verifiable parental consent). 16 C.F.R. §§312.4, 312.6(a)(1), 312.6(a)(2), 312.5(a), 
312.5(b). The regulations went into effect on April 21, 2000, and already press reports state that 
some small online companies have stopped providing services to children because implementa- 
tion of COPPA’s requirements is too costly. See, e.g., “New Children’s Privacy Rules Pose Obsta- 
cles for Some Sites,” The Wall Street Journal at B-8 (April 24, 2000) (reporting one attorney’s 
estimate that it will cost her clients between $60,000 and $100,000 annually to meet COPPA 
standards); “New privacy act spurs Web sites to oust children,” William Glanz, The Washington 
Times (April 20, 2000), available at <http://www.washtimes.com/business/default- 

2000420233432.htm>. See also “COPPA Lets Steam out of Thomas,” Declan McCullagh, Wired 
News (May 16, 2000), available at <wysiwyg://l/http://www. wired.com/news/politics/ 

0,1283, 36325, 00.html>. 
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cern about privacy of their personal information on the Internet, 
and industry has focused its attention on attracting the core of 
American consumers. The concern that the public has about pri- 
vacy has only grown louder, so today the issue of data privacy has 
become a litmus for consumer confidence in the online marketplace. 

Back in December 1998, I told industry that we were at a critical 
juncture, one where industry is asked to self-regulate at the behest 
of government and public trust. This choice, while daunting, pro- 
vides an exciting and unprecedented opportunity for industry to 
take the lead in shaping public policy for this important new me- 
dium. Consumers are expecting that industry and government will 
work together to find new and better ways to make the Internet 
safe, inspire consumer confidence, and preserve the innovative spir- 
it of e-commerce. But the failure of industry to meet this challenge 
will not only have a negative effect on the future of e-commerce, 
but also on the public’s confidence in industry’s ability to take the 
lead in solving important public policy problems. 

To its credit, the most responsible segments of the online econ- 
omy recognized the importance of data privacy, both from the pub- 
lic policy standpoint and as a test of their own accountability. 

The Chairman. Commissioner Thompson, could you summarize. 

Commissioner Thompson. OK. 

I think that we are at a critical juncture here. I think that what 
we are trying to do is propose a model that is not heavy-handed 
legislation, but provides a means for what some people term as co- 
regulation. That puts industry in the forefront. 

But the problem of Internet privacy may indeed be larger than 
what we originally envisioned. Industry has a very important role 
as the lead, but there are holes in the Swiss cheese. A legislative 
backdrop allows us to get at those holes. You see them in our re- 
port when we talk about the quality of what is being provided, and 
still parts of the Internet industry that are not doing anything at 
all. Those need attention, and we think it is a critical issue for con- 
sumer confidence. 

Thank you. 

[The prepared statement of Commissioner Thompson follows:] 

Prepared Statement of Hon. Mozelle W. Thompson, Commissioner, 
Federal Trade Commission 

In 1997 when the FTC began looking at the issue of privacy on the Internet, con- 
sumer-based electronic commerce was largely viewed as a place only for the adven- 
turous and technologically savvy. At the same time, however, many also viewed the 
Internet as a place that could potentially transform the American consumer market- 
place by empowering consumers with access to vast quantities of information, as 
well as goods and services. Since then, we have indeed witnessed great progress in 
achieving that transformation; yet, we still have a long way to go until Americans 
fully embrace the Internet and accept its technology as integral parts of their daily 
lives. Today, industry, government and consumers alike share the common goal of 
making the Internet as meaningful and productive for those Americans at the center 
of the market bell curve — the family in the suburb of Canton, Ohio — as it is for the 
technologist in Silicon Valley. To achieve this goal, we must be led by the voice of 
users and allow the Internet to become “consumer driven.” 

From the beginning of the Commission’s Internet work, consumers have expressed 
strong concern about the privacy of their personal information on the Internet. And 
as industry has focused its attention on attracting the core of American consumers, 
public concern about privacy has only grown louder so that today, the issue of data 
privacy has become a litmus for consumer confidence in the online marketplace. 

In December 1998, I stated: 
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[Wle are all at a critical juncture, a point where industry is asked to self-regu- 
late at the behest of government and public trust. This choice, while daunting, 
presents an exciting and unprecedented opportunity for industry to take the 
lead in shaping public policy for this important new medium. Consumers are 
expecting that industry and government will work together to find new and bet- 
ter ways to make the Internet safe, inspire consumer confidence, and preserve 
the innovative spirit of e-commerce. But, the failure of industry to meet this 
challenge will not only have a negative effect on the future of e-commerce, but 
also on the public’s confidence in industry’s ability to take the lead in solving 
important public policy problems. 1 

To its credit, the most responsible segment of the online economy recognized the 
importance of the data privacy issue — both from a public policy standpoint as a test 
of the technology industry’s accountability, as well as from a consumer confidence 
perspective as a test of industry responsiveness to consumer demand. As a result, 
the industry leaders have worked with the Commission and consumer groups to pro- 
vide the market with seal programs, privacy policies and consumer and business 
education initiatives designed to address the public policy and business challenge 
posed by the issue of Internet privacy. Furthermore, to date, government has appro- 
priately put industry self-regulatory efforts at the forefront of America’s response 
to the privacy challenge. We recognize the important role that industry plays, and 
will continue to play, in defining good business practices in electronic commerce. 
After three years of Internet surveys, public workshops, hearings and reports, how- 
ever, it has become evident that the public policy challenge posed by the issue of 
Internet privacy may indeed be larger than any one segment — industry, government 
or consumers — can address alone. 

People in the Internet community are fond of stating that one Internet year is 
equivalent to three calendar years. The Commission has carefully and cautiously 
waited over three Internet years before recommending legislative action. During 
that time, government, industry and consumers have all learned much more about 
the substantial challenge involved with providing online privacy. In recognition of 
this complexity and the importance of Internet privacy as a threshold issue for the 
future growth of electronic commerce, I believe that now is the appropriate time for 
well-crafted legislation. 

In July 1999, I testified before the Senate Commerce Committee where I cau- 
tioned that industry faced a formidable challenge in achieving effective self-regula- 
tion of Internet privacy. I stated that: 

During the past year, industry leaders have expended substantial effort to build 
self-regulatory programs. However, I believe that we will not progress further 
unless industry acts on the specific shortcomings that our report documents. 
Congress and the Administration should not foreclose the possibility of legisla- 
tive and regulatory action if we cannot make swift and significant additional 
progress. 2 

Based upon what I perceived as real progress by industry in having a greater 
number of Web sites bearing a privacy disclosure, I was willing to withhold calling 
for legislative action to give industry further opportunities to: (1) maximize privacy 
coverage by reaching out to spur non-participating companies to adopt and imple- 
ment effective privacy policies; and, (2) to significantly improve the quality of pri- 
vacy protections by encouraging participating companies to embrace and implement 
what the Commission, the Organization for Economic Cooperation and Development 
and industry groups themselves (See e.g. Privacy Principles of the Online Privacy 
Alliance) have long recognized as the fair information principles of notice, choice, 
access, security and enforcement. 

Now, three years after the Commission submitted its initial report to Congress 
and a year-and-a-half after I posed a direct policy challenge to industry, our most 
recent survey shows that the quality of privacy protections that even the most re- 
sponsible sites provide, is far from adequate. In fact, our survey shows that forty 
percent of the most popular (and presumably most sophisticated and responsible) 
Web sites still do not provide consumers with adequate notice and choice — the most 
fundamental elements for any privacy policy. I believe these results are especially 
disappointing because they demonstrate substantial deficiencies in providing what 


December 1, 1998, “Managing the Privacy Revolution ‘98,” Remarks Before the 4th Annual 
National Conference on Privacy & American Business. 

2 July 13, 1999, Statement of Commissioner Mozelle W. Thompson in support of “Self-Regula- 
tion and Privacy Online,” FTC Report to Congress. 
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most industry leaders agree should serve as the bedrock of privacy self-regulatory 
efforts. 

So where does that leave us? Based not only on our 2000 Survey results but also 
our three years of working interactively with everyone interested in the online pri- 
vacy issue, a majority of the Commission has concluded that Federal legislation is 
now appropriate because: 

[S]elf-regulatory initiatives to date fall short of broad-based implementation of 
effective self-regulatory programs, . . . [and] that such efforts alone cannot en- 
sure that the online marketplace as a whole will emulate the standards adopted 
by industry leaders. 3 

In making my recommendation, I believe that appropriate legislation should not 
be viewed as a substitute for well-crafted industry self-regulatory programs. This 
point is particularly important because industry self-policing could ultimately pro- 
vide the public with consumer-driven privacy responses. Instead, legislation incor- 
porating directed rule-making and safe-harbors should provide a principled backstop 
for effective industry efforts. Thus, if basic privacy principles and industry self-regu- 
lation define the “Swiss cheese” of online privacy, the Children’s Online Privacy Pro- 
tection Act and our legislative recommendation should be viewed as a means of ad- 
dressing the holes in the cheese. 

I believe the Commission’s recommendation is also consistent with my view of the 
cautious, balanced and responsible approach government should take in the fast- 
moving Internet environment. Our recommendation incorporates the principles of 
interactivity, flexibility and innovation. Through safe-harbors and a rulemaking 
process, government will interact with consumers and industry to implement appro- 
priate solutions to this important public policy problem. Moreover, by recommending 
legislation that “would set forth a basic level of privacy protection for consumer-ori- 
ented Web sites [and providing] an implementing agency with the authority to pro- 
mulgate more detailed standards,” 4 government would avoid an inflexible “one size 
fits all” approach that would preclude recognition that consumers vary their view 
of privacy obligations depending on how they believe their personal information is 
being used. Finally, by recommending a rulemaking process, it is possible to encour- 
age, and over time incorporate, technological innovation that can provide consumers 
with better tools to protect their own privacy. 

Accordingly, I strongly support the recommendations contained in the Commis- 
sion’s May 2000 Report, Privacy Online: Fair Information Practices in the Electronic 
Marketplace. 

The Chairman. Thank you very much, Commissioner Thompson. 
As I mentioned, your complete statement will be made part of the 
record, which I read and I appreciate. 

Commissioner Leary. 

STATEMENT OF HON. THOMAS B. LEARY, COMMISSIONER, 
FEDERAL TRADE COMMISSION 

Mr. Leary. Mr. Chairman, members of the Committee: You have 
my concurring and dissenting statement and, in the interest of 
time, I would just like to summarize and start with the areas 
where I think we have broad agreement. 

There is a dramatic increase in the number of companies that 
publicly address privacy one way or the other, but the quality of 
disclosures varies widely. Too many are confusing, if not mis- 
leading, and I think that the examples that Commissioner Anthony 
has cited for you speak for themselves. More widespread disclo- 
sures of this kind could actually do more harm than good. There- 
fore, I agree with some members of this Committee and with the 
Commission majority that both business and consumers would ben- 
efit from better disclosures. 


3 May 2000, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 35. 

4 May 2000, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 
iii-iv. 
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There also seems to be broad agreement that any legislation to 
address privacy concerns should ultimately apply in the same way 
to both the online and the offline worlds to the extent the informa- 
tion is the same. There are special capabilities in the online world, 
which may require special attention, but there is no reasonable 
basis for treating information that is collected about my purchases 
on Amazon.com any differently from my purchases at Borders. I 
think that we have a consensus on that. 

There seems to be some difference on the issue of timing and 
some question as to whether the Commission has enough expertise 
to recommend broad-based legislation to you because we have stud- 
ied the Internet only. We have had a lot of experience in privacy 
issues in the offline world as well, Senators, and if there are any 
doubts about the issue you have the capability yourselves to inves- 
tigate and satisfy yourselves that when the information is the same 
there should be an equal playing field between the online and the 
offline worlds. 

Finally, I would say that I think we all generally recognize that 
once you get past the issue of notice and disclosure the further ele- 
ments of the so-called fair information practices become progres- 
sively more complicated. There is an even more compelling reason 
for treating them differently than notice or disclosure. I agree with 
those members of this Committee who state that ultimately ade- 
quately informed consumers should be able to select for themselves 
the level of privacy protection they want and may be willing to pay 
for either directly or by foregoing some benefit. 

It is not fair to allow consumers who are particularly solicitous 
about particular elements of privacy and want broad access and 
broad ability to correct, and so on, to impose costs on those con- 
sumers who do not care. So I urge you to consider whether or not 
the market, as it does in so many other areas of our life, will not 
work better ultimately than government regulation. 

There may be certain special categories of information or special 
uses, like health information or financial information, that require 
special treatment in both the online and the offline worlds. But 
they should not be part of a broad privacy policy imposed on the 
Internet alone. 

Finally, I would just like to say that I think it is in all of our 
interest to continue to encourage the self-regulatory schemes which 
are under way and which I believe ultimately hold tremendous 
promise for improving performance in this industry in a market- 
based fashion. 

Thank you. 

[The prepared statement of Commissioner Leary follows:] 

Prepared Statement of Hon. Thomas B. Leary, Commissioner, 

Federal Trade Commission 

Today the Federal Trade Commission recommends that Congress enact legislation 
to help consumers protect their privacy when transacting business on the Internet. 
I agree that some legislation is appropriate, but believe that the recommendation 
in the Report endorsed by a majority is too broad in one respect and too narrow 
in another. The recommendation is too broad because it suggests the need for 
across-the-board substantive standards when, in most cases, clear and conspicuous 
notice alone should be sufficient. The recommendation is too narrow because any 
legislation should apply to offline commerce as well. 
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The Report’s recommendation is based, in part, on our common belief that the 
Internet has enormous potential to grow our economy; that this potential is inhib- 
ited to some degree by consumers’ concerns about their privacy; and that it is an 
appropriate policy objective to address these concerns and encourage growth. So far, 
so good. The issue, then, is how best to address these privacy concerns in an even- 
handed way. If the Internet is subjected to requirements that do not apply pro tanto 
to offline commerce, the regulatory imbalance could itself inhibit the growth of the 
Internet and undercut our common objective. 

We also agree unanimously that, whatever government does or does not do, the 
private sector will have an important role to play. The majority looks at the 2000 
Web Survey data and concludes that the private sector has failed to address privacy 
concerns rapidly enough. I am not convinced that the Survey supports this conclu- 
sion, but agree, for other reasons, that some legally mandated privacy protections 
would be appropriate. 

The Survey does not necessarily demonstrate that the market has failed to re- 
spond to consumer demand. It only measures “inputs,” the prevalence of privacy 
policies of various kinds; it does not measure “outputs,” the impact that these poli- 
cies have on consumer confidence and consumer behavior. The Survey numbers 
could be read to support alternative scenarios. For example, the most popular sites 
generally have more comprehensive disclosures, and this could mean that some con- 
sumers favor them because of the disclosures. The fact that gains are modest over- 
all, however, may also indicate that consumers are not quite as fixated on privacy 
issues as might appear from the public opinion polls cited in the Report. Marketers 
generally know more about consumer demand than regulators do. 

Marketers know, for example, that consumers’ actual buying habits are not nec- 
essarily consistent with their expressed preferences. Their stated interest in various 
ancillary protections like privacy may fade or become more nuanced, once they learn 
more about them and realize that there are costs attached. Consumer opinion on 
privacy issues appears to be a complex subject, 1 and public opinion polls simply do 
not provide an adequate predicate for a legislative recommendation of the scope con- 
tained in the Report. 

There Is a Need for Better Disclosures 

There is one aspect of the 2000 Web Survey, however, that I find particularly dis- 
turbing. The Survey results do show a steadily rising trend in the number of compa- 
nies that address privacy, one way or another, but we cannot therefore conclude 
that consumers are better informed today or would be even better informed if the 
numbers rose even further. In fact, a site’s mere mention of privacy may lead to 
a misperception that the consumer’s privacy is well-protected, and a plethora of 
varying and inconsistent privacy claims could add to consumer confusion. The Sur- 
vey tells us that the scope of the disclosures varies widely (see Privacy Online: Fair 
Information Practices in the Electronic Marketplace: A Report to Congress (“Re- 
port”) at 38-44) and, in my view, vendors and their customers would both benefit 
from a legislative initiative to require disclosures of greater clarity and com- 
parability. 

Market processes, supplemented by traditional remedies against consumer decep- 
tion, should ultimately provide the most appropriate mix of disclosures and sub- 
stantive protections, but these forces sometimes work slowly and I am convinced 
that privacy concerns have some special characteristics that make it prudent to 
prompt the market to work more rapidly. Some standardization of the disclosures 
would allow consumers to compare more easily the privacy practices of different 
vendors. As we learned when considering environmental marketing claims, for ex- 
ample, 2 varied and inconsistent claims lead to consumer confusion. Consumers may 
not be able to recognize valid and invalid comparisons when they are dealing with 
unfamiliar concepts. When terms have uniform meaning and basic equivalent infor- 
mation is disclosed for each site, the marketplace should work more efficiently. 

Although consumers’ knowledge and understanding of these issues is steadily in- 
creasing, it still has a long way to go. Not only is the Internet a recent invention, 
consumers are just beginning to become aware of the potential for data collection 
both online and offline. Consumers still do not know much about the possible uses 


1 Jupiter Communications, Proactive Online Privacy: Scripting An Informed Dialogue to Allay 
Consumers’ Fears, at 3-7 (June 1999). 

2 See Guides for the Use of Environmental Marketing Claims (the “Green Guides”), 16 C.F.R. 
pt. 260 (1999). When the Commission requested public comment on these Guides three years 
later, commentators generally agreed that they benefit both consumers and industry, inter alia, 
by promoting consistency and accuracy in claims, helping consumers to make accurate decisions, 
and thereby bolstering consumer confidence. See Guides for the Use of Environmental Mar- 
keting Claims, Final Rule, 61 Fed. Reg. 53,311 (1996). 
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of their personal information (and new ones are invented every day), the ramifica- 
tions of permitting its use, and the costs associated with limiting its dissemination. 
Because an efficient market presupposes full and accurate information, it is appro- 
priate to mandate more extensive privacy disclosures. 

Privacy concerns also differ from concerns about product attributes that con- 
sumers may value. An uninformed decision to deal with a vendor that disseminates 
personal information could have ramifications for years to come, and that decision 
cannot be retracted. The marketplace may ultimately discipline the less-than-candid 
vendor, but the potential consumer harm will continue because the personal infor- 
mation may have spread and cannot be retrieved. The privacy loss and consequent 
harm results from mere participation in the market, with insufficient notice, not 
from a bad purchase decision. By contrast, if consumers are uninformed about par- 
ticular product attributes, and regret the purchase, the damage may at most be lim- 
ited to the value of the purchase. 3 

I therefore agree with the Report insofar as it recommends a legislative prod to 
ensure better disclosures. Thereafter, I part company. 

The Report’s Proposal Is Too Broad 

The Report’s recommendation is framed around the so-called “fair information 
practices” of notice, choice, access, and security. Notwithstanding references to the 
need for flexibility (see, e.g., Report at 60-61), the overall thrust of the Report is 
that any privacy policy should, at a minimum, recognize substantive consumer 
rights in each of these areas. What the Report does not do is adequately explain 
why. 

In addition to its expertise on consumer disclosures, the Commission is supposed 
to have some expertise in the operation of competitive markets — when they are like- 
ly to succeed and when they are likely to fail. The Report does not explain why an 
adequately informed body of consumers cannot discipline the marketplace to provide 
an appropriate mix of substantive privacy provisions. These are matters that Con- 
gress can and should investigate on its own, but our Report does not provide any 
help. It is one thing to recognize that the fair information practices (beyond ade- 
quate notice) are laudable goals and to encourage their adoption by various self-cer- 
tifying industry groups. These certifying programs can make a valuable contribution 
by reinforcing consumers’ confidence and reducing consumer costs of obtaining infor- 
mation. It is quite another thing to urge that the practices, in one form or another, 
be mandated by legislation and by rules. 4 

When the Commission issued the Green Guides, it expressly disclaimed any au- 
thority or intention to achieve a substantive result: 

The Commission does not have a statutory mandate to set environmental policy. 
It is not the Commission’s goal, for example, to require that product [sic] be “re- 
cyclable.” Rather, any Commission cases, rules, or guides would be designed to 
address how such terms may be used in a non-deceptive fashion in light of con- 
sumer understanding of the terms. 5 

These disclosure-oriented guides did have a substantive effect; later public com- 
ments indicated that they did “encourage manufacturers to improve the environ- 
mental characteristics of their products and packaging,” while “allowing flexibility 
for manufacturers to improve the environmental attributes of their products and to 
communicate these improvements to consumers.” 6 Better information did lead to a 
better market outcome. In my view, we should follow the precedent of the Green 
Guides, and not request the authority to issue substantive standards. 

The fact that the fair information practices have been favorably regarded in the 
regulatory community for almost thirty years (Report at 8-9), does not justify man- 
datory legislation. A provenance from the 1970s is scant cause for comfort, because 
government regulators, here and throughout the world, had much less faith in free 
market institutions then than they have today. 7 Moreover, it cannot be claimed that 


3 This limitation may not apply to products that are hazardous to health and safety, and this 
is one reason why there are also affirmative disclosure requirements to deal with these risks. 

4 1 acknowledge that previous Commission reports to Congress, which advocated a “wait and 
see” policy, have suggested that legislation could be appropriate if the fair information practices 
were not more broadly adopted. I would not have endorsed that aspect of the previous reports 
either, had I been here. 

5 Request for Public Comments on Issues Concerning Environmental Marketing and Adver- 
tising Claims and Pending Petitions, 56 Fed. Reg. 24,968 (1991). 

6 Guides for the Use of Environmental Marketing Claims, Final Rule, 61 Fed. Reg. 53,311, 
53,313 (1996). 

7 See, e.g., Daniel Yergin and Joseph Stanislaw, The Commanding Heights: The Battle Between 
Government and the Marketplace that is Remaking the Modern World ( 1998). 
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the fair information practices are “widely-accepted” in the business community (Re- 
port at 8). Our own Survey of the Internet world demonstrates the contrary, and 
there is no indication that the principles are widely accepted in the offline world 
either. I would not be so quick to conclude that we are right and so many others 
are wrong. 8 

The Report not only fails to explain why adequate disclosures are insufficient, it 
passes too lightly over issues of complexity. Granted, these are issues more appro- 
priately addressed in a rule-making proceeding, but Congress needs to have a better 
understanding of what we mean when we ask for authority to set “reasonable” 
standards. For example, the Report recognizes that “access” is a complicated matter 
and indicates that any determination of what is “reasonable” should be informed by 
the discussion of the Advisory Committee on Access and Security (Report at 30-31, 
61). At the same time, however, the Report endorsed by the majority states flatly 
that “the Commission believes that fair information practices require that con- 
sumers be afforded both an opportunity to review information and an opportunity 
to contest the data’s accuracy or completeness — i.e., to correct or delete the data.” 
(Report at 32). This is an extraordinarily broad claim, which could in many cases 
lead to vast expense for trivial benefit and which provides an ominous portent for 
the content of any substantive rules. 

Even “choice,” which at first glance seems only a natural corollary of “notice” is 
a complicated subject. The Report recognizes, for example, that it may be appro- 
priate to provide affirmative benefits if a consumer agrees to certain personal disclo- 
sures (Report at 61). If the collection of data is one thing that makes it possible for 
a vendor to offer lower prices, consumers who are particularly tender of privacy 
would otherwise be able to free ride on the value created by those who are not. (If 
a supermarket issues a card that offers discounts to people who use it, in exchange 
for compilation of useful data, consumer “choice” surely does not involve the right 
to get the discount without supplying the data. 9 ) 

On the other hand, if the premium for permission to use information is too gen- 
erous, or the penalty for refusal too severe, consumer “choice” really involves noth- 
ing more than the “choice” to refuse dealings with the vendor. The issue of what 
is or is not a reasonable price differential is complicated, but may be too difficult 
to bother with in a situation where a particular vendor competes with a number 
of others that have their own policies. Does this mean that reasonableness should 
depend on the market power of the vendor? 

Other examples could be cited to illustrate the difficulties involved in fashioning 
substantive rules about choice, access and security, but there is no need to burden 
this statement further. Congress can, and should, explore these issues in detail if 
it takes up this aspect of the Report’s legislative recommendation. 

I therefore believe that any across-the-board legislative mandate should be con- 
fined to notice alone, although disclosure rules might appropriately provide that no- 
tice include information about the other categories. In some cases, involving par- 
ticular kinds of information or particular uses, the risk of harm may be so great 
that specific substantive standards are required. This is a legislative judgment. Con- 
gress can, and already does pass industry-specific legislation to deal with these situ- 
ations. 10 In addition, I believe it is entirely appropriate for the Commission to im- 
pose more specific restrictions as “fencing-in” relief in a consent settlement, in order 
to discipline the future behavior of business entities that have misused consumer 
information in the past. 

The Report does recognize (Report at 25) that notice is “the most fundamental of 
the fair information practice principles,” but it recognizes it for the wrong reason. 
Notice is not fundamental “because it is a prerequisite to implementing other fair 
information practice principles, such as Choice or Access” (Id.)', it is fundamental be- 
cause it helps the marketplace accurately to reflect consumer preferences with re- 
spect to the other principles. Consumers, so long as they are informed by clear and 


8 The Commission’s own Internet privacy policy, which can be readily accessed by a click on 
the Commission’s home page, provides notice only. The Commission does protect consumer pri- 
vacy. It complies with the Privacy Act of 1974, a statute that applies fair information practice 
principles to the federal government’s collection and use of information. 5 U.S.C. §§552a et seq. 
However, the Commission’s privacy policy does not provide information about choice, access or 
security measures. 

9 This use of an offline example is deliberate because the logic is not dependent on the mode 
of collection. See discussion, infra pp. 10-12. 

10 Gramm- Leach-Bliley Act, 15 U.S.C. §§6801 el seq.; Telecommunications Act of 1996, 47 
U.S.C. §§222 et seq.; Video Privacy Protection Act of 1988, 18 U.S.C. §§2710 el seq.; Cable Com- 
munications Policy Act of 1984, 47 U.S.C. §§551 et seq.; Fair Credit Reporting Act, 15 U.S.C. 
§§ 1681 et seq. 
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conspicuous disclosures, will be able to select the vendors that give them the privacy 
protections they want and are willing to pay for. 

The Report’s Proposal Is Too Narrow 

I also disagree with the Report’s legislative recommendation to the extent that it 
treats issues of online privacy as wholly different from offline privacy. At times the 
Report acknowledges the existence of offline privacy concerns and the erosion of the 
distinction between online and offline commerce (Report at 8 n.26, 55 n.196), but 
it justifies special treatment of Internet privacy on the ground that the technology 
of the Internet has “enhanced the ability of companies to collect, store, transfer and 
analyze vast amounts of data[.]” (Report at 1). 

Of course, some privacy issues are particular to the Internet. This new technology 
has permitted uniquely invasive tracking of consumer preferences by recording not 
just purchases, but consumers’ movements on the Internet as well. This practice of 
tracking, including third-party profiling, may be particularly threatening and dis- 
tasteful to many. ( See Report at 37-38, discussing so-called “cookies”). Any legisla- 
tive or regulatory scheme can and should ensure that consumers are adequately in- 
formed about these Internet capabilities. 

However, the majority’s recommendation is not focused on the special characteris- 
tics of e-commerce or on particular categories of sensitive information collected on- 
line. Instead, the majority would apply the fair information practice principles to 
any personal information collected by any commercial Web site, even though the 
identical information can be collected offline. The distinction between online and off- 
line privacy is illogical, impractical and potentially harmful. 11 Let me examine each 
of these points in turn. 

Recognition of the privacy concerns specific to e-commerce should not obscure the 
fact that in significant respects online privacy concerns are identical to those raised 
by offline commerce. The same technology that facilitates the efficient compilation 
and dissemination of personal information by online companies also allows offline 
companies to amass, analyze and transfer vast amounts of consumers’ personal in- 
formation. 12 Offline companies collect and compile information about consumers’ 
purchases from grocery stores, pharmacies, retailers, and mail order companies, in 
particular. 

It is also not possible to distinguish offline and online privacy concerns on the 
basis of the nature of the information collected. With the exception of online 
profiling, it is the same information. The Report’s recommendation would require 
Amazon.com to comply with the fair information practice principles but not the local 
bookstore which can compile and disseminate the same information about the read- 
ing habits of its customers. The consumer polls, upon which the Report places such 
significant reliance, demonstrate that consumer concerns about the disclosure of 
personal information are not dependent on how the data has been collected. 13 

Moreover, it is impractical to maintain such a distinction. Businesses are likely 
to have a strong incentive to consolidate personal information collected, regardless 
of the mode of collection, in order to provide potential customers with the most per- 
sonalized message possible. Already, companies are seeking to merge data collected 
offline with data collected online. 14 In light of this reality, the majority’s rec- 
ommendation would result in perverse and arbitrary enforcement. Enforcement ac- 
tions would depend on the source of and method used to collect a particular piece 
of consumer data rather than on whether there was a clear-cut violation of a com- 
pany’s announced privacy policy or mandated standards. 

Finally, the Report’s focus only on online privacy issues could ultimately have a 
detrimental impact on the growth of online commerce, directly contrary to the Re- 
port’s objectives. It is clear from the Advisory Committee’s Report on Access and Se- 
curity and from limited portions of the Commission’s own Report that implementa- 
tion of the fair information practices will be complex and may create significant 
compliance costs. Online companies will be placed at a competitive disadvantage rel- 


11 Chairman Pitofsky has expressed some of these views in one of his own speeches. See Rob- 
ert Pitofsky, Electronic Commerce and Beyond: Challenges of the New Digital Age, Speech before 
the Woodrow Wilson Center, Sovereignty in the Digital Age Series, Washington, D.C. (Feb. 10, 
2000 ). 

12 Abacus, a consortium of mail order companies, is a good example of the ability of merchants 
to compile and share detailed data about consumers’ purchasing habits. See In re Trans Union, 
Docket No. 9255 (Feb. 10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000). 

13 See IBM Multi-National Consumer Survey, prepared by Louis Harris Associates Inc., at 22- 
24 (October 1999). 

14 Dana James, Synchronizing the Elements; Traditional Companies, Yearning to Catch Up on 
the Basics, Find Value in Merging Online, Offline Databases, Marketing News, Feb. 14, 2000, 
at 15. 
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ative to their offline counterparts that are not forced to provide consumers with the 
substantive rights of notice, choice, access and security. Traditional brick and mor- 
tar companies that have an online presence or are considering entry into the elec- 
tronic marketplace will be forced to assess how the cost of regulation will affect 
their participation in that sector. 

A better approach would be to establish a level playing field for online and offline 
competitors and to address consumers’ privacy concerns through clear and con- 
spicuous privacy disclosures. Any privacy concerns that are unique to a particular 
medium or that involve particular categories of information (however collected) can 
continue to be addressed through separate legislation. 15 

The Report’s recommendation limits itself to online privacy for reasons that seem 
primarily historical. The Commission first looked at the online world at a public 
workshop in 1995, followed by subsequent workshops in 1996 and 1997. Then, start- 
ing in 1998, Commission staff conducted annual surveys of Internet sites and their 
privacy policies to measure in a rough way the state of industry self-regulation. 
Each survey has been reported to Congress. The Report’s legislative recommenda- 
tion flows from that series of surveys. The surveys have provided a lot of useful in- 
formation, and undoubtedly spurred industry attention to online privacy issues, but 
the scope of these particular surveys should not dictate the parameters of a legisla- 
tive proposal. 

The Commission has ample information available to support a broader rec- 
ommendation, and Congress will have ample opportunity to develop its own legisla- 
tive record. The fair information practices so frequently referenced in the Report 
were, after all, originally developed to address concerns regarding the collection of 
information offline. And the Commission itself has had significant exposure to off- 
line privacy issues. For example, the Commission has enforced the Fair Credit Re- 
porting Act since its enactment in 1970. 16 This statute addresses consumer concerns 
about the collection and dissemination of sensitive data by credit bureaus. Although 
the Act predates the advent of the fair information practices, its provisions mandate 
some of these same requirements. 17 

The Commission also undertook in 1997 a study of the “look-up” service industry, 
computerized database services that collect and sell consumers’ identifying informa- 
tion. The workshop and subsequent report to Congress focused on the benefits of 
these services as well as the risks, including consumers’ privacy concerns. 18 Al- 
though the Internet increased access to these informational products, the informa- 
tion at issue was primarily collected offline. Finally, just last week, the Commission 
issued its final rule implementing the privacy provisions of the Gramm-Leach-Bliley 
Act, a rule that focuses on the treatment of consumer information by financial insti- 
tutions — again without regard to how the information was collected. 19 

Even if the Commission majority, who endorse the Report, determined that our 
experience was insufficient to assess offline privacy concerns, a better course would 
have been to invite further Congressional inquiry. As it is, the Report’s advocacy 
of legislation limited to the online world suggests that public remedies should be 
bounded by the scope of the studies we have chosen to conduct. This is thinking up- 
side down. 

Existing Remedies Should Be Actively Pursued 

Legislation to mandate more comprehensive and clear privacy disclosures should 
ensure in the long run that the marketplace provides consumers with their desired 
level of privacy protection. Legislation and rule-making may take considerable time, 
however, and in the interim some consumers may suffer long-lasting harm because 
they have not been adequately informed about privacy issues. In order to reduce 
these potential harms, I would recommend that the Commission take some imme- 
diate steps. 

First, the Commission should more actively employ its existing authority under 
Section 5 to prohibit unfair or deceptive practices. We can not only challenge out- 


15 See supra note 10. 

16 15 U.S.C. §§ 681 et seq. 

17 The Commission recently issued its decision in In re Trans Union, Docket No. 9255 (Feb. 
10, 2000), appeal docketed, No. 00-1141 (D.C. Cir. Apr. 4, 2000), an enforcement action con- 
cerning the dissemination by a credit bureau of certain information to target marketers. The 
decision considered not only the privacy implications of this practice but also the availability 
of other information collected offline. 

18 See Individual Reference Services: A Federal Trade Commission Report to Congress (Dec. 
1997). 

19 See Privacy of Consumer Financial Information, _ Fed. Reg. (2000) (to be codified at 16 

C.F.R. pt. 313). 
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right violations of express privacy policies , 20 but also challenge policies that deceive 
because they impliedly offer more protection than they deliver. As noted earlier, al- 
though the Survey results demonstrate an increase in the number of privacy disclo- 
sures, they also indicate that these disclosures often involve inconsistent or con- 
fusing claims. (Of course, enforcement actions should only be brought in cases of 
clear-cut deception, so that companies which attempt in good faith to provide infor- 
mation, up to now on a voluntary basis, would not be chilled from doing so.) 
Stepped-up enforcement in this area, as elsewhere, serves a double purpose: it ad- 
dresses specific situations and sends a message both to consumers and businesses. 

Beyond this, the Commission should redouble its efforts to educate consumers di- 
rectly about the benefits and potential risks associated with the collection and dis- 
semination of their personal information. Without additional authorization, we can 
help consumers to better understand the meaning of various privacy disclosures. In- 
formed consumers will ultimately be the most effective agents for protection of pri- 
vacy, online and offline, by rewarding companies that offer the preferred levels of 
protection. 

The Chairman. Thank you very much, Commissioner. 

We have another panel and I know all of our members have 
questions, so I will just ask one. As has been pointed out, at least 
statistically it is fairly impressive the number of Web sites that 
offer privacy policies. But once you get into some of these so-called 
policies it gets somewhat interesting. 

In May, USA Today reviewed 10 major Web sites and found their 
policies to be a confusing jumble of incomprehensible language rid- 
dled with loopholes. Yahoo’s policy, for instance, is eight pages 
long, and your survey finds that fewer than half of the sites had 
clearly worded procedures. 

One of the more controversial Web sites, Doubleclick, says that 
it would use personal information only with your “permission.” It 
does not tell you that it assumes it has permission unless you ex- 
plicitly opt out. And here is what you have to do: Read the first 
1,468 words, click on a link to another page, read 650 more words 
that tell you why you should not opt out, read 200 more words urg- 
ing you once again not to opt out, and click onto a final link to opt 
out of the program. 

That is not exactly privacy as some of us understand it. Now, I 
think this is a matter of real concern, particularly when we look 
at what Doubleclick was set up for. I wonder if, according to your 
report, as the numbers of Web sites that provide “privacy protec- 
tion” are more like Doubleclick’s than the kind of thing we assume 
that would allow us to ensure privacy. 

So I guess I would begin with Chairman Pitofsky and go through 
the witnesses, because I think this is a serious problem, for a Web 
site to advertise that it will protect your privacy and then have this 
kind of mumbo-jumbo. When Yahoo, which is one of the most re- 
spected and I believe the most used Web site, takes eight pages 
and 3,405 words and 167 sentences, that is not what we had in 
mind and I hope it is not your definition of a Web site that allows 
people to have their privacy ensured. 

We will begin with you, Commissioner Pitofsky, and we will go 
through in order of how the Commissioners spoke. 

Mr. Pitofsky. Mr. Chairman, I went through the same process 
with Doubleclick that you followed and I have to tell you, if I did 


20 See FTC v. ReverseAuction.com, Inc., No. 00-0032 (D.D.C. Jan. 6, 2000); GeoCities, FTC 
Dkt. No. C-3849 (Feb. 12, 1999). 
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not have somebody helping me I would never have found out how 
to get to the third and fourth screen in order to opt out. 

The Chairman. And you are a former university professor. 

Mr. PlTOFSKY. And I have been doing this consumer protection 
work for 30 years. 

I would have been lost somewhere between the third and the 
fourth screen. This example is extreme, but I tell you, it is not the 
only one. I saw one yesterday that was brought to my attention, 
the headline is: “We protect your privacy. Read on and find out the 
terms.” There are then ten single-spaced pages. Lawyers would 
have trouble reading it. When you get to the ninth page, you find 
out you have no rights at all. It is notice, I suppose, but it is a kind 
of notice that does not do consumers much good. 

But on the other hand, 60 percent of the Web sites have notice 
that we found was quite fair. The question is how you get from 
that 60 percent all the way to the end. Let me just repeat what 
I said: I am all for self-regulation, but if the self-regulators cannot 
say: if you fail to give better notice than that you violate our stand- 
ards and we will refer you to some law enforcement agency, then 
I am afraid many of these Web sites who are fairly irresponsible 
are going to say: Well, why do I not keep making the money selling 
private identifiable information; so take my seal away from me; I 
will have to get along without it. 

I think there has to be a backup. Effective self-regulation in my 
experience almost always has that kind of backup of law. 

The Chairman. Did you see the Yahoo Web site? 

Mr. Pitofsky. I did not see that one. 

The Chairman. I am curious whether that would warrant a seal 
of approval. And I say that not in any bias for or against Yahoo, 
but the fact is it is the most popular Web site there is. 

Mr. Pitofsky. Let me check it out and I will get an answer for 
you. 

The Chairman. Thank you. 

Commissioner Swindle. 

Mr. Swindle. I will defer to Commissioner Anthony since she 
was second — OK, or I will continue. 

The Chairman. I am sorry. Commissioner Anthony, I am sorry. 
I apologize. 

Ms. Anthony. That is all right, Senator McCain. 

My view is that a uniform standardized notice setting forth in a 
simple manner, understandable and noncontradictory would be a 
good thing for consumers to reveal what exactly the Web site’s 
practices are, and then have an opportunity to either opt in or opt 
out. If there is additional information that needs to be conveyed to 
the consumer, there could be interactive “click-here” links on a 
standardized uniform notice that could be utilized to further ex- 
plain the policy. 

But I do not think consumers have any protections if the policy 
is so confusing that not even a university professor can understand 
it. 

The Chairman. Well, I will not comment on university profes- 
sors. 

Commissioner Swindle. 
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Mr. Swindle. Mr. Chairman, I think we all agree that these 
lengthy dissertations that we go through, they are so bad that we 
do not look at them. That is obviously counterproductive, and I 
think we can all agree that some form of reasonable English no- 
tice — and I do not want to get trapped into saying I am for English 
only here, since we have other people of other languages 

The Chairman. How do we enforce that, then? 

Mr. Swindle. The enforcement of it, I think, comes from the Fed- 
eral Trade Commission with its existing regulations. We had a case 
here a couple of years ago called Geocities. It is a very popular site. 
I personally have never visited it, but I will take the staffs word 
that it is very popular. They had a privacy statement and they said 
that, we will do certain things. 

We alleged that, contrary to what they said, they turned around 
and shared the information with a third party in some sense. They 
settled the case with us. However, once they posted the policy they 
then came under the umbrella of Section 5 of the Federal Trade 
Commission Act, and if they are deceiving their customers we have 
authority to do something. 

Now, our surveys, as has been reflected here in some of the num- 
bers that are addressed today, indicate that something on the order 
of 90 percent of all Web sites have posted some form of notice. 
Now, if that notice was properly conveyed in a more simple manner 
than we are seeing now, to express what the site does in the way 
of collecting information and how it uses it, all those sites would 
be under the oversight of the Federal Trade Commission under the 
existing laws. 

I might point out that, even though we have a quantum leap in 
the number of sites that have these notices, we have only handled 
just a bare handful of cases in which we have challenged the prac- 
tices that they are implementing, having stated what they do, such 
as in Geocities. But I think if we continue to expand the numbers 
of people who have notice, state their privacy policies, and we apply 
very close scrutiny on what they are doing, I think the effects of 
FTC action will have a positive effect on seeing more comply with 
it. 

The Chairman. Commissioner Thompson. 

Mr. Thompson. Mr. Chairman, I agree with you that — and you 
are talking about what we consider to be the good guys, because 
there are people out there who are saying nothing, and that we 
have very few tools to get at those people. One of the questions 
that some people raise is what is it that industry cannot fix on its 
own? As you may remember, last year I was here and I talked to 
you a little bit about coverage, and I said that there is a core group 
that you still cannot get to. They are still out there, and consumers 
deserve better. 

Second of all, there is also a benefit to having a level playing 
field here, so that there are not these wide disparities, so the con- 
sumers wind up taking a risk every time they go on the Internet. 

The reason I might disagree slightly with some of my colleagues 
about why online and why now, is because the Internet provides 
you with an opportunity. The Internet allows somebody to follow 
you around the shopping mall without your knowledge. It is a little 
bit different. And because it allows you to aggregate data and col- 
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lect it on a real-time basis as you put it in, they get it and they 
use it, means something. So I think there is a slight difference. 

One other thing is that I understand that Forrester Research is 
coming out with a report today that is going to talk a little about 
this, about some of the pressures on businesses in the dot-com 
space that make it more advantageous to sell data. They need to 
do that for economic reasons, and the combination of hyper- 
partnering, meaning companies doing things with other companies, 
the pressure to get profits in that way may actually mean that you 
will see more of this occurring in the Internet space faster. 

The Chairman. Mr. Leary. 

Mr. Leary. Mr. Chairman, I agree with the majority here that 
there should be some legislation directing us to make rules to as- 
sure more consistent and more adequate disclosure. That is some- 
thing we know how to do and we have done in other areas. 

I also agree with a somewhat different majority that you should 
have the same disclosures when you order by mail or when you 
open a charge account at your department store to the extent the 
information is exactly the same. 

Thank you. 

The Chairman. Senator Hollings has a question, and we have 
two votes on the floor and after that we will take a brief recess 
until we can return from the vote. Thank you. Senator Hollings. 

Senator Hollings. There is not any question that the offline 
should be regulated as online. We gave it to you to do just as you 
just said, Mr. Leary, that you promulgate rules and regulations for 
the offline as we have it for the online. Otherwise we have got the 
proposition, of course, that it is going to be more difficult each day 
that passes to ex post facto or retroactively do anything. We are 
into an environment where the best of the best — and I know Fred 
Yang and Yahoo and they are one of the best, and yet they give 
little notice. You can see the game that is going on. 

I feel like I am in a class where the professor is grading by way 
of a scale and everybody is cheating. I am going to have to cheat 
in order to pass, regardless of how much I know about the subject. 

Kennedy said years ago, the captain who waited for his ship to 
be fit never puts to sea. So we put to sea with S. 2606, and we did 
it with your counsel. There is not any question that you folks are 
the nearest experts I can find and the most objective folks that I 
can find. Our staff has done, along with your staff, an outstanding 
job. 

We have drawn a target with S. 2606. Maybe most of you have 
not had a chance to read it because we waited for you to submit 
your report and then we of course introduced our bill. We already 
have ten co-sponsors. 

I want each of you in writing to give me criticisms of that par- 
ticular bill, what is heavy-headed, what is unrealistic, and what is 
impossible for industry. We have been very considerate of industry. 
The Internet is not going to stop. All of these folks here act like 
some day it is going to slow down. It will never slow down. This 
thing is a dynamic that is running way ahead of all of us, and each 
day that passes with State’s attorneys general all trying to pass 
their laws, with any and everything coming out of the Congress 
and nothing real, we have got to really move on this thing. After 
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5 years, I think we are pretty well in a position to move with your 
counsel and criticism. 

Please do that for me, and we thank you very, very much for 
what you have done for us so far. 

Excuse me. The Committee will be in a brief recess. 

[Recess.] 

The Chairman. The Committee will resume. Please, Commis- 
sioners, take your seats, and we will begin questioning. I think 
Senator Wyden by early bird rules is next. 

Senator Wyden. Thank you. Thank you very much, Mr. Chair- 
man. I will let our guests get their seats. 

[Pause.] 

Mr. Chairman, this question is for you. As you know, Senator 
Burns and I have been at it for well over a year trying to craft bi- 
partisan legislation. As I have indicated, I happen to think that 
Senator Hollings, Senator Kerry, and others are making important 
contributions. I think it would be helpful if you could tell us, in 
your view are there any dangers in waiting to pass bipartisan pri- 
vacy legislation? 

Mr. PlTOFSKY. It is an interesting question. Yes, I think that 
there are inappropriate invasions of privacy that go on at this time, 
and they are of a sort that it is difficult for us to get at under 
present law. Nothing is said about privacy or it is a confusing dis- 
closure, but not really a deceptive one. 

So I think there is always a question of protecting consumer 
rights as promptly as possible. On the other hand, I do think, hav- 
ing worked on this now for 5 years and very energetically for 3, 
there are differences of view reflected in some of the legislation. 
There are tough questions that were raised by our advisory com- 
mittee and in our report. Therefore I think it is more important to 
do this in a thorough and careful way than to rush to any judg- 
ment in this area. 

I think we are all aware that it is the end of a Congressional ses- 
sion and there are not that many legislative days left. If it can be 
done appropriately in a short period of time, fine. But I think it is 
more important to get it right. 

Senator Wyden. Do you believe that you have existing rule- 
making authority under your underlying statute, the organic stat- 
ute, to protect consumer privacy? 

Mr. Pitofsky. No, we do not. That is the point. It seems to me 
we need the kind of legislation that we have recommended and 
that you and Senator Burns have authored in order to engage in 
rulemaking. We could call invasions of privacy “unfair,” but I do 
not believe that we could sustain that position. 

Senator Wyden. Let me wrap up with this. I do not think what 
you are talking about now is a radical departure from your pre- 
vious position, and I do not think you are abandoning self-regula- 
tion. I hope that what people will see in this whole effort is that 
this is not some sinister government power grab. This is an oppor- 
tunity to empower the consumer; at the end of the day, what we 
want to do is give consumers control over important information. 

We can have this debate about the technical terms, opting out 
and opting in. In English what we all understand is that explicit 
permission from the consumer for things like medical and financial 
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information is clearly their expectation. Senator Kerry has defined 
that as opt-in. 

At the same time, if you subscribe to Newsweek for 20 years and 
they are thinking about contacting you for the 21st year, we should 
not make them send you one letter in order to get permission to 
send another letter. I think the approach that you are talking 
about is very much in line with the bipartisan legislation that Sen- 
ator Burns has talked. I think it is consistent with the kinds of 
ideas Senator Hollings and Senator Kerry have expressed, and we 
appreciate your leadership and look forward to working with you. 

Thank you, Mr. Chairman. 

The Chairman. Senator Kerry. 

Senator Kerry. I appreciate Senator Wyden’s comment. Senator 
Wyden, Senator Hollings, Senator Rockefeller, and I were chatting 
on the floor a few moments ago, and it seems to me that there is 
an opportunity here for us, Mr. Chairman, to try to see if we can- 
not find a bipartisan meeting ground here that pulls people to- 
gether. I do not think we are that far off. 

Clearly, medical and financial Web sites deserve some kind of 
special status. I think we can agree on that. We need to find a way 
to do that. 

I still maintain that the degree to which, when you get beyond 
the notice, the choice, access, and security issues are at this point 
perhaps left too much to the regulatory process rather than trying 
to bring the marketplace into it. This would bring the private sec- 
tor into some perhaps joint resolution that might even result, for 
instance, in something like an FTC seal of approval, in conjunction 
with the corporate community in a joint effort to arrive at an 
agreement as to what the appropriate measure should be. 

It seems to me there are some choices in front of us. But I still 
remain troubled. Let me ask this question first. If we were to pass 
a fairly significant disclosure and fairly clear disclosure require- 
ment, without mandating in specificity each aspect of choice, ac- 
cess, or security, would you not then be empowered to enforce? And 
would you not, if you joined together with the community in this 
sort of FTC seal, be leveraged significantly in your ability to be 
able to hold people accountable? 

Mr. PlTOFSKY. In my view, a notice bill is better than the status 
quo and I would be comfortable with it. But I think we should go 
further. I believe Congress should go further. 

Let me emphasize the choice aspect, because access and security 
become very complicated. But what would be the consequence of a 
bill that mandated notice — and we could enforce that, of course — 
but did not provide choice? Well, first of all I would point out that 
is not the way we do things in consumer protection. We do not say 
to consumers: If you go to a store and you are the victim of bait 
and switch, if you buy a defective product, if you buy a dangerous 
product, if you are abused in credit terms, then why do you not go 
to some other store? We say to them: You have a right to be pro- 
tected against fraud. 

Now, if privacy is worthwhile — and I believe it is — then we ought 
to go the next step and say: First, you should be told what is going 
to happen with that information; and, second, you should be given 
an opportunity to say count me out. 
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Senator Kerry. Sure. But my point is, rather than mandating 
whether it is going to be opt-out or opt-in in a particular instance, 
it seems to me you could arrive with the industry at a fair set of 
options on which you put your approval. And if they vary from that 
or they are not clear, as Chairman McCain suggested they are not 
in eight pages — I agree with that. It is clear. You go on the Inter- 
net today to some of these sites and it is an exercise in obfuscation. 
They are clearly trying to not have you opt-out. 

So we need to empower consumers. Most people I talk to who are 
in the industry want to empower consumers. The entire salesman- 
ship of this industry has been based on its democratization impact 
and consumer empowerment. So it seems to me you could arrive 
at that, could you not? 

Mr. Pitofsky. I agree and I think we could. I think if we sat 
down with the responsible people in this industry, from what I 
have seen of their behavior so far, we could find common ground 
about what the rules of play ought to be. 

Senator Kerry. I also want to say that I think it is far more ur- 
gent because of the conglomeration of information on the net and 
because of the speed with which the net moves and sort of the new 
awareness of choice. The American public is now becoming far 
more sensitized to the privacy issue. 

But, in point of fact, we cannot just gloss over this offline-online 
distinction. It sometimes amuses me. Somebody does not want to 
give their credit card on the Internet, but they will hand it to a 
waiter at a restaurant they have never been to and they are never 
going to go to again. He disappears in a back room for 5 minutes 
and they do not have a clue what happened to the credit card or 
what may happen in the ensuing days. 

Likewise, you can buy, I am told, criminal information records on 
individuals in the marketplace today. Additionally, information is 
available on somebody’s social security number and through any 
kind of credit check. I have seen people’s personal credit card 
transactions appear in newspapers based on their private sleuthing 
through the offline market. 

So the notion that there is some new threat really needs to be 
thought through, because the level of loss of privacy of the average 
American today is absolutely extraordinary. Marketing takes place 
in highly specified ways offline, but we are only worried about on- 
line, this seems imbalanced. 

Do you not agree that these are inconsistencies we have got to 
try to work through? 

Mr. Pitofsky. I do agree with that. 

Senator Kerry. Are there not dangers in the offline issue? 

Mr. Pitofsky. Speaking for myself, I have increasingly come 
around to the view — I did not start there — that the theory of distin- 
guishing online from offline is really rather weak. I was very influ- 
enced by one of our advisory panel people who said: What is the 
point of treating differently warranty information that is gathered 
when the consumer files a warranty card — an example of offline 
private information — when we know some clerk is going to sit there 
and read it right into an electronic format? Why would you treat 
one differently than the other? I found that a very powerful argu- 
ment. 
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I am also influenced by the fact that we hear that through merg- 
ers, joint ventures, and otherwise that online and offline companies 
are merging their data bases, and that is another reason why we 
should think about both. 

Senator Kerry. But I also say respectfully, and I will terminate 
on this, that that is another reason why I think we need to ap- 
proach this thoughtfully and carefully. I suggest simply that if we 
had at least the first step, where we all could agree on a simple, 
clear, straightforward form of required disclosure with a set of 
principles on which each of the acceptable four major principles 
and enforcement: security, access, choice, notice, and enforcement. 
If we could establish that in terms of principles, and then you went 
to work with the industry, it seems to me that you may wind up 
with a better product. Meanwhile, we can go to work. 

Now, I want to emphasize, Mr. Chairman, on financial informa- 
tion and medical information those are places where there ought to 
be significant rigidity and clarity, and I hope the Committee can 
come together on it. 

Thank you, Mr. Chairman. 

The Chairman. I would remind Committee members we do have 
another panel after this and it is now quarter to 12. So I hope we 
can ask sufficient questions and yet exercise brevity. 

Senator Burns. 

Senator Burns. Thank you, Mr. Chairman. 

I only have one question in listening to the testimony here. It 
will be very simple. We are pretty much — we agree that the four 
areas of concern in this are notice, choice, access, and security. Ms. 
Anthony, I was interested in your recommendation on strong en- 
forcement mechanisms as well as an audit process. Can you give 
me some detail on what that might look like? I would be interested 
in that. 

Ms. Anthony. Well, as I said in my testimony, Senator Burns, 
there are enforcement mechanisms at hand. The seal programs I 
think really had a very sensible way to deal with privacy. However, 
I am unaware of anybody that they have kicked out for not com- 
plying, and I do not think everyone has complied. 

I think also that government has used, in the past, industry 
standards in audits, and that is just another suggestion. I am not 
making any firm recommendation on those fronts. I am just throw- 
ing them out as suggestions for you to consider when you devise 
some enforcement mechanism. 

Senator Burns [presiding]. That is — everybody jumped up and 
ran away. Oh, are you next? Senator Rockefeller. If you can be 
brief, please. 

[Laughter.] 

Senator Burns. Sorry I asked. 

Senator Rockefeller. A couple quick points. A comparison was 
made between fraud and privacy, and I just want to emphasize the 
enormity of the issue of privacy. It affects every single American, 
mostly without their knowledge, as opposed to fraud, which is the 
usual thing you complain about with Medicare and other things — 
waste, fraud, abuse, etcetera. These are issues of enormously dif- 
ferent dimensions. 
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Second, if you have voluntary compliance or if you have a regu- 
latory system set up in which you actually get 80 percent or 90 per- 
cent of companies that are complying with proper notification that 
meets all of Commissioner Anthony’s specifications, that the 10 
percent can undo all of the 90 percent in an instant. So it has got 
to be 100 percent. That is not offline; that is an online problem. 

That is why I think that we tread on dangerous water when we 
start comparing offline and online and saying, well, if we are going 
to do one we have got to do the other. They operate under different 
sets of market rules and they access or make themselves available 
and dangerous to the American public at very different levels of 
speed and enormity. 

About nine out of ten businesses that start up fail. This means 
that businesses are starting often. Their accounting rules have 
changed and now we have discovered they do not have as much 
money as they thought they did, but people are still into it. It is 
driving the economy and it is a very good thing for America and 
for the world. 

But again, all it takes is a couple of startups that do not have 
the money or the time or cannot afford the lawyers to be able to 
put that proper notification on. All the good work that you enforce 
or lay out self-regulatory or we lay out other rules for is gone. The 
2 percent can undo the 98 percent because once they sell it to the 
third-party purchaser or they have bought it from a third-party 
purchaser, it is all gone. 

That point needs to be made. That is why I think this is a very 
different level of problem than talking about online-offline. 

The third thing I want to say is that this is a wonderful set of 
circumstances into which to introduce minutia which distracts, but 
which is nevertheless important as you listen to it. Witness: Some- 
body comes in my office yesterday, they do not like what Senator 
Hollings and I are doing, and so they say, but if you get into access, 
that means that the consumer might be, as we used to say, a dead- 
beat dad, until we started getting all the letters from dads who did 
not consider themselves that way. They go in and then they change 
information to protect themselves from having to do what they 
need to do. Or criminals also can access and change their records. 

In other words, there are a thousand ways you can come at this 
to nitpick, to show that there is no perfect software, there is no 
perfect system. What that does is it tends to throw us on the defen- 
sive and say, oh, we cannot do that. We cannot have deadbeat dads 
changing their records so they do not have to pay child support. Let 
us just back off and do nothing. 

Again, I come back to my original point. We do not have that lux- 
ury. I think that is why, Mr. Chairman, you come down with the 
line of we have to do better. And I think you want to do online and 
offline together, but my question is are they really of the same di- 
mension? Do they move at the same speed? Do they have the same 
consequences, offline as online? I think that you would agree with 
me that they do not. 

Mr. PlTOFSKY. I do agree with you, Senator. I think the online 
threats to the privacy of consumers is greater than offline because 
of the way in which information can be gathered, marshalled, sort- 
ed out, accumulated, and then sold. So it is different. But I do not 
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know about very different. There are threats to privacy that occur 
in the offline world that deserve our attention. 

I know the bill that you are sponsoring suggests that the FTC 
take a look at that and report back to Congress, and I think that 
is the right way to go. We did not report on it on this occasion, be- 
cause we really had not investigated it. 

The Chairman [presiding]. Thank you. 

Senator Bryan. 

Senator Bryan. Mr. Chairman, if I might just followup on that. 
You are not suggesting, however, that because in your own thought 
process as you describe the evolution of the significance of offline 
privacy invasion, that we should hold up on these recommendations 
in terms of developing these base standards of notice, choice, ac- 
cess, and enforcement? I want to be clear on that. 

Mr. Pitofsky. Yes, Senator, exactly right, I am not. 

Senator Bryan. Mr. Swindle, if I might ask you a couple of ques- 
tions. I believe you were a dissenter in the report that the majority 
filed. As I understood the thrust of your testimony, you believe that 
self-regulation ought to be given an opportunity to work its course 
before we embark upon a legislative course of action. Is that a fair 
statement of your position, sir? I do not want to mischaracterize it. 

Mr. Swindle. Yes, sir, that is a fair description of it, but it goes 
further than that. My concerns with the report were that the re- 
port is a misconstruing of information and data. It is the basis for 
making the recommendation that we have this very broad, all-en- 
compassing legislation on virtually every Web site that exists. And, 
I think the data is used in a misleading manner and that leads to 
a recommendation which is illogical. I think we are on the wrong 
track. 

Senator Bryan. Do you support the concept that consumers 
ought to be given a notice of what the privacy policies are of online 
providers? 

Mr. Swindle. Yes, sir. 

Senator Bryan. Well, let me ask you to respond. Ms. Anthony 
had an example which she shared with us, where you have got to 
be referred from one page to another and several hundred inter- 
vening words. Our Chairman cited an example of one which I think 
any fair-minded person would say is not effective notice. I believe 
that Senator Kerry used the word “obfuscation.” I would say that 
it triumphs form over substance. 

Now, why should we not have some legislative standard that re- 
quires meaningful notice if this kind of action is being done by 
some of the major online providers in the country? 

Mr. Swindle. Senator Bryan, I think you will perhaps recall, in 
commenting to Senator McCain’s comments, I said these things are 
so ridiculous that I do not even read them. I just click them off. 

Senator Bryan. I apologize, I think I had to leave. 

Mr. Swindle. I am in the same group, and I think some form 
of clear and conspicious notice would be most appropriate. I also 
made the statement that, in effect, our survey indicates that in ex- 
cess of 90 percent of Web sites now provide some form of notice al- 
ready. It is not the best of notices because some of them are Yahoo 
versions and some of them probably do not say anything other 
than, “we have a privacy policy.” So the quality of that statement, 
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if it were prepared and put into very clear and precise, easy to un- 
derstand form, would be a very good thing to do. 

I think choice naturally follows from being able to understand 
what is before you. It is like going into a store, it costs a dollar for 
this ball. If I want to pay a dollar for the ball, I pay it. If the pri- 
vacy notice says, we want to collect this information if you want 
to come into our site, then you make a choice. You go or do not go. 

Senator Bryan. I am sure there are other examples other than 
those that were cited for the record. The notices are misleading and 
confusing, and I think you are saying that you agree that in effect 
those are not real notice. Do we not need to have some type of a 
legislative response that says, look, notice cannot be just some 
game in which the consumer is moved from one link to another on 
a web page. It has got to be meaningful. 

Is there anything wrong with a legislative standard that requires 
notice to in fact be 

Mr. Swindle. No, sir. 

Senator Bryan. So you would agree with that? 

Mr. Swindle. My disagreement is with the all-encompassing na- 
ture of the recommendation. We are not talking about the same 
thing here. 

Senator Bryan. So you would have no problem with legislation 
that talks about notice in a meaningful sense? 

Mr. Swindle. Yes, sir. And I think in my statement or my dis- 
sent I said if the Congress believes we must legislate, let us go no 
further than notice. 

Senator Bryan. Notice. Let me ask about an aspect of enforce- 
ment. Mr. Chairman, this is my last question. You have been pa- 
tient, but I do not think I have belabored the point. 

We had a situation with Chase Manhattan, one of the major 
banks in America. Those of us that serve on the Banking Com- 
mittee know. Their privacy policy indicated a course of action in 
terms of how they would deal with consumer information, with pri- 
vate information. In point of fact, they violated their own consumer 
policy and sold to third party telemarketers. They received a 24 
percent commission for each sale that was ultimately consummated 
as a result of that third party, the telemarketer, negotiating with 
the customer. 

Now, ultimately what occurred, as you know, is the Attorney 
General in New York brought suit. But that deals with an enforce- 
ment issue. I mean, I do not know the law of every state in the 
country, and I certainly do not know the particular circumstances 
of the New York law. But, clearly, that is such a blatant violation 
of a stated policy there has got to be some enforcement. 

Would you agree with that point, Mr. Swindle? 

Mr. Swindle. Yes, sir, and we can do that under Section 5 of the 
Federal Trade Commission Act. I made reference earlier to 
Geocities, which is exactly that case. We would not be involved in 
the banking industry, as the Senator knows. But in the case of 
Geocities they had a privacy statement, they said we will do A, B, 
and C, and we found out later, alleged that they did A, B, C, D, 
E, and F and did a similar thing, they sold the information to third 
parties. And we have the power today to take enforcement action 
against them. 
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Senator Bryan. So I take it from your response that it would be 
within your jurisdiction. Maybe we need to look at that; that is a 
separate issue. So you would certainly favor a regulation that 
would clearly provide some sanction for violation of a stated pri- 
vacy policy such as that? 

Mr. Swindle. We have that authority today under existing law. 

Senator Bryan. Mr. Chairman, thank you very much. 

I appreciate your response, Mr. Swindle. 

The Chairman. Thank you. 

I would like to tell the witnesses I appreciate their patience. I 
apologize for the break while we had a couple of votes. I thank you 
for helping us address these very difficult issues. We will be in 
communications with you. In fact, we may ask you to come back 
if and when there is some proposed legislation concerning this very, 
very important issue. 

So thank you very much. 

Mr. PlTOFSKY. Thank you, Mr. Chairman. 

The Chairman. The next panel is: Ms. Jill Lesser, Vice President 
of Domestic Public Policy, America Online; Ms. Christine Varney, 
senior partner of Hogan and Hartson, testifying on behalf of the 
Online Privacy Alliance; Mr. Jason Catlett, President of the 
Junkbusters Corporation; Mr. Jerry Berman, Executive Director, 
Center for Democracy and Technology; and Mr. Daniel Weitzner, 
who is Technology and Society Domain Leader of the World Wide 
Web Consortium. 

I would ask those who are departing to expedite their departure 
and those who are witnesses to please come forward as quickly as 
possible so we can continue the hearing. 

I want to thank all the witnesses for their patience. Obviously, 
your complete statement will be made a part of the record. Wel- 
come, Ms. Lesser. 

STATEMENT OF JILL A. LESSER, VICE PRESIDENT OF 
DOMESTIC PUBLIC POLICY, AMERICA ONLINE, INC. 

Ms. Lesser. Thank you, Chairman McCain, and I will try to be 
brief. Chairman McCain 

The Chairman. Could I emphasize, of course, we want you to be 
brief, but it is most important that we receive the information you 
have to impart. If there is any appearance of impatience on the 
part of the chairman and members of the Committee, please dis- 
regard that. The most important thing 

[Laughter.] 

Ms. Lesser. I will take that under advisement. 

The privacy report issued this week by the Federal Trade Com- 
mission shows in many ways that we have reached a crossroads in 
the development of the online medium. It is clear that the Internet 
is revolutionizing our society, dramatically changing the way we 
learn, communicate, and do business. People are migrating to the 
Internet to meet their commerce and communications needs at an 
extraordinary rate because it is convenient and fast and offers un- 
precedented selection of information, goods, and services. 

Yet, despite this enormous growth the Internet has enjoyed over 
the past few years, or perhaps because of it, we have seen a height- 
ened awareness of online privacy and security issues, consumer 
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protection, and a whole host of issues related to online safety. And 
even though the medium continues to grow at an enormous rate, 
online companies are realizing that it is their responsibility to ad- 
dress these issues for their consumers. 

Of course — and I think this has perhaps been underemphasized 
today — this medium offers to users an ability unprecedented to cus- 
tomize and personalize their experiences. Consumers can, and do 
on a regular basis, communicate specific preferences that will allow 
them to receive information tailored to their own interests. 

No other commercial or educational medium has ever afforded 
such tremendous potential for personalization, and we are seeing 
consumers take advantage of these opportunities at an incredible 
rate. But we know that the power of the Internet can only be fully 
realized if consumers feel confident that their privacy is properly 
protected when they take advantage of these benefits, and there- 
fore we, along with many other companies, are protecting privacy. 
We view it as an essential aspect to earning their trust, and this 
trust is, in turn, essential to building the medium. 

That is why we and other companies have devoted so much time 
and energy to creating strong policies that provide meaningful pro- 
tection. As we have discussed much this morning, there are several 
important elements of those policies and I believe many, particu- 
larly the industry leaders, have policies that address all of those 
elements. 

Our own commitment is based on the lessons we have learned 
and the input we have gotten from consumers, policies that clearly 
notify our users what information will be collected, why, how it will 
be used, and the opportunity to exercise choice and disclosure. In- 
deed, we intend to fully implement those notice and choice prin- 
ciples across all of our brands when we hope our merger with 
Time-Warner is finally consummated. 

We also make sure that our policies are well understood with re- 
spect to our employees, and I think this is an important point as 
well. Implementation throughout a company of a privacy policy is 
critical to making sure that it is really truly within the ethos of all 
of our companies. 

We do try to keep users informed about the steps they can take. 
That is, do not give out your password and certainly do not give 
information out to companies or anybody you do not know and you 
do not trust. 

Finally, with respect to children, we have worked with many of 
you, Senator Bryan and Senator McCain in particular, supporting 
the Online Privacy Act related to children in the 105th Congress 
and do believe it was an area where additional steps were needed. 

In adopting and implementing our own policies, we are com- 
mitted to fostering best practices within the industry, and you will 
hear from the Online Privacy Alliance and many other trade asso- 
ciations and others we have worked with, and we have done a lot 
to make sure that our business partners are also following impor- 
tant privacy policies. 

So after all of that background, where are we now? The FTC re- 
port concludes that, despite this progress, industry has not done 
enough and that broad privacy legislation is necessary in order to 
ensure that consumers are protected. Does this mean in their view 
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that self-regulation is a failure, and what are we as industry there- 
fore supposed to do? 

As the Committee and other Congressional leaders begin to sift 
through the FTC’s recommendations, I would just like to offer a 
few thoughts as you do that. First, it is important for all of us in 
industry and government to stop thinking about this issue as a 
zero sum game, as self-regulation versus government regulation. 
Instead, we must remember that the crux of the issue is about con- 
sumer confidence, consumer protection, safety, and security, and 
since all of us have the same end goal, to ensure that consumers 
trust the online medium, we do not need to set ourselves up as op- 
ponents in a privacy battle. 

One way to approach this joint responsibility is to allow the mar- 
ket to lead, as it has, in developing up-to-date and innovative ini- 
tiatives for protecting privacy, but give the government its impor- 
tant enforcement activities. Indeed — and I think this is important 
to note in light of all the numbers we have heard today — the gov- 
ernment’s existing enforcement powers are greatly expanded sim- 
ply by the proliferation of privacy policies, now numbering almost 
90 percent. 

If you look at the examples used by Chairman McCain, by Com- 
missioner Anthony and others this morning about perhaps unfair 
or deceptive privacy policies, I would note that the FTC does have 
broad enforcement authority in those areas. So if you compare 90 
percent of sites having privacy policies with the enforcement au- 
thority of the FTC, I think there is an enormous amount of cov- 
erage that we are underestimating. 

Second, I would say that it is critical that neither the govern- 
ment nor industry view this issue as simple. On the contrary, when 
we as businesses ask our consumers what they are most concerned 
about, we get a variety of different answers. For some consumers, 
it is really security rather than privacy — identity theft, hacking — 
and certainly this is an area where the industry has every incen- 
tive to do the right thing, but the government must make clear 
that bad behavior is unacceptable. 

For other consumers, the primary concern relates to sensitive in- 
formation, an issue we have talked about a lot this morning. Indi- 
viduals want to take advantage of online health-related services, 
for example, without worrying about embarrassing or compro- 
mising releases of their health information. Indeed, Congress has 
addressed these issues through financial services legislation en- 
acted last Congress and the Health Insurance Portability and Ac- 
countability Act of 1996, neither of which, I would note, have been 
fully implemented. So we do need to make sure we understand 
what is out there. 

Such examples and others underscore the intricacy of the privacy 
issue and the difficulty in pinpointing the actual problems that 
need to be addressed through industry or government action. Un- 
fortunately, I would say the FTC’s recommendation for a sweeping 
regulatory regime for online privacy does not take into account ei- 
ther the complex dimensions of this issue or the need for industry- 
government partnership on privacy. 

The Commission purports to recognize the important role that in- 
dustry leadership on self-regulation has played, yet it recommends 
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broad legislation with expansive regulatory authority that could ac- 
tually discourage industry-led initiatives and market-driven solu- 
tions by outlawing consumer-oriented methods of privacy protection 
and personalization. 

We would therefore simply ask that members of this Committee 
look at privacy with a high regard for the benefits of personaliza- 
tion and the efficacy of industry action to date. You may find there 
are gaps in industry enforcement where government must step in 
to ensure compliance. Nevertheless, it is clear that companies are 
responding to increasing marketplace demand for online privacy, 
and the tremendous growth of e-commerce reflects a positive trend 
on a variety of consumer protection issues, including privacy. 

The challenges that lie ahead will give us a chance to prove that 
industry and government can work together, but ultimately it is 
the consumer who will judge whether those efforts are adequate be- 
cause, no matter how extraordinary the opportunities for e-com- 
merce may be, the marketplace will fail if we cannot meet con- 
sumers’ demands for privacy protection and gain their trust. 

We as a company are committed to doing the right thing. We be- 
lieve our colleagues in the industry are as well. We appreciate the 
opportunity to discuss these important issues with you this morn- 
ing. Thanks. 

[The prepared statement of Ms. Lesser follows:] 

Prepared Statement of Jill A. Lesser, Vice President of 
Domestic Public Policy, America Online, Inc. 

Chairman McCain, Senator Hollings, and Members of the Committee, I would like 
to thank you, on behalf of America Online, for the opportunity to discuss online pri- 
vacy with you today. My name is Jill Lesser, and I am the Vice President for Do- 
mestic Policy at AOL. 

The privacy report issued this week by the Federal Trade Commission shows that, 
in many ways, we have reached a crossroads in the development of the online me- 
dium. It is dear that the Internet is revolutionizing our society — dramatically 
changing the way we learn, communicate, and do business. People are migrating to 
the Internet to meet their commerce and communications needs at an extraordinary 
rate because it is convenient and fast, and offers an unprecedented selection of in- 
formation, goods and services. AOL subscribers can sign on to our service and do 
research, shop for clothing, obtain health information, and buy airline tickets — all 
in a matter of minutes. And every day we are seeing new online opportunities arise, 
and new users flocking to take advantage of these opportunities. 

Yet despite the enormous growth that the Internet has enjoyed over the past few 
years — or maybe because of it — we have seen a heightened awareness of online pri- 
vacy and security issues. Every day we are faced with new reports, studies, and sta- 
tistics — many of which seem to contradict each other — about how Internet users feel 
about the medium and how online privacy is, or isn’t, being protected. And even 
though the medium continues to grow at an incredible rate, online companies are 
realizing that they have to sit up and pay attention to privacy if they want to stay 
in business. 

Of course, one of the most attractive benefits that this medium offers to users is 
the ability to customize and personalize their online experience. Consumers can 
communicate specific preferences online that will allow them to receive information 
tailored to their own interests. For instance, AOL members can set their online pref- 
erences to get sports scores or stock quotes, read news stories about their own home- 
town, or receive notices about special discounts on their favorite CDs. No other com- 
mercial or educational medium has ever afforded such tremendous potential for per- 
sonalization, and we are seeing customers take advantage of these opportunities at 
an incredible rate — through our own services and through countless other business 
models for personalization, from online bookclubs to discount ticket agencies to spe- 
cial offers from the local supermarket. 

But we know now that the power of the Internet can only be fully realized if con- 
sumers feel confident that their privacy is properly protected when they take advan- 
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tage of these benefits. If consumers do not feel secure online, they will not engage 
in online commerce or communication — and without this confidence, our business 
cannot continue to grow. For AOL, therefore, protecting our members’ privacy is es- 
sential to earning their trust, and this trust is, in turn, essential to building the 
online medium. That’s why AOL and other companies have devoted so much time 
and energy to creating strong privacy policies that provide meaningful protection 
and are backed up by compliance and enforcement programs. 

AOL’s own commitment is based on the lessons we’ve learned over the years and 
the input we’ve received from our members. We’ve created privacy policies that 
clearly explain to our users what information we collect, why we collect it, and how 
they can exercise choice about the use and disclosure of that information. AOL’s cur- 
rent privacy policy is organized around 8 core principles: 

• We do not read your private online communications. 

• We do not use any information about where you personally go on AOL or the 
Web, and we do not give it out to others. 

• We do not give out your telephone number, credit card information or screen 
names, unless you authorize us to do so. And we give you the opportunity to 
correct your personal contact and billing information at any time. 

• We may use information about the kinds of products you buy from AOL to make 
other marketing offers to you, unless you tell us not to. We do not give out this 
purchase data to others. 

• We give you choices about how AOL uses your personal information. 

• We take extra steps to protect the safety and privacy of children. 

• We use secure technology, privacy protection controls and restrictions on em- 
ployee access in order to safeguard your personal information. 

• We will keep you informed, clearly and prominently, about what we do with 
your personal information, and we will advise you if we change our policy. 

We give consumers clear choices — which are easy to find and easy to exercise — 
about how their personal information is used, and we make sure that our users are 
well informed about what those choices are. For instance, if an AOL subscriber de- 
cides that she does not want to receive any tailored marketing notices from us based 
on her personal information or preferences, she can simply check a box on our serv- 
ice that will let us know not to use her data for this purpose. Because we know this 
issue is so critically important to our members and users, we make every effort to 
ensure that our privacy policies are clearly communicated to our customers from the 
start of their online experience, and we notify our members whenever our policies 
are changed in any way. 

We also make sure that our policies are well understood and properly imple- 
mented by our employees. We require all employees to sign and agree to abide by 
our privacy policy, and we provide our managers with training in how to ensure pri- 
vacy compliance. We are committed to using state-of-the-art technology to ensure 
that the choices individuals make about their data online are honored, and that 
such data is protected and secured. 

And we try to keep users informed about the steps they can take to protect their 
own privacy online. For instance, we emphasize to our members that they must be 
careful not to give out their personal information unless they specifically know the 
entity or person with whom they are dealing, and we encourage them to check to 
see whether the sites they visit on the Web have posted privacy policies and to re- 
view those policies. 

Furthermore, AOL takes extra steps to protect the safety and privacy of children 
online. One of our highest priorities has always been to ensure that the children 
who use our service can enjoy a safe and rewarding online experience, and we be- 
lieve that privacy is a critical element of children’s online safety. 

We have created a special environment just for children — our “Kids Only” area — 
where extra protections are in place to ensure that our children are in the safest 
possible environment. In order to safeguard kids’ privacy, AOL does not collect per- 
sonal information from children without their parents’ knowledge and consent, and 
we carefully monitor all of the Kids Only chat rooms and message boards to make 
sure that a child does not post personal information that could allow a stranger to 
contact the child offline. Furthermore, through AOL’s “Parental Controls,” parents 
are able to protect their children’s privacy by setting strict limits on whom their 
children may send e-mail to and receive e-mail from online. 



58 


As you know, AOL supported legislation in the 105th Congress to set baseline 
standards for protecting kids’ privacy online — precisely because of the unique con- 
cerns relating to child safety in the online environment. We worked with Senator 
Bryan, Senator McCain, the FTC, and key industry and public interest groups to 
help bring the Child Online Privacy Protection Act (COPPA) to fruition. We believe 
the enactment of this bill — which took effect last month — was a major step in the 
ongoing effort to make the Internet safe for children. 

In addition to adopting and implementing our own policies, AOL is committed to 
fostering best practices among our business partners and industry colleagues. One 
of the strongest examples of this effort is our “Certified Merchant” program, through 
which we work with our business partners to guarantee our members the highest 
standards of privacy and customer satisfaction when they are within the AOL envi- 
ronment. AOL carefully selects the merchants we allow in the program, and re- 
quires all participants to adhere to strict consumer protection standards and privacy 
policies. The Certified Merchant principles are posted clearly in all of our online 
shopping areas, thereby ensuring that both consumers and merchants have notice 
of the rules involved and the details of the enforcement mechanisms, which help to 
foster consumer trust and merchant responsiveness. 

Through our Certified Merchant program, we commit to our members that they 
will be satisfied with their online experience, and we have developed a money-back 
guarantee program to dispel consumer concerns about shopping online and increase 
consumer trust in this powerful new medium. We believe that these high standards 
for consumer protection and fair information practices will help bolster consumer 
confidence and encourage our members to engage in electronic commerce. 

We at AOL are proud of the steps we’ve taken to create a privacy-friendly envi- 
ronment online for our members and encourage our industry colleagues to do the 
same. But we haven’t done these things to prove a point or to discourage govern- 
ment regulation — we’ve done them because we must do them, because our business, 
more than ever, requires us to respond to consumer demands and take privacy seri- 
ously in order to build more consumer trust in the medium. And we know that 
many other online businesses feel exactly the same way. That’s why AOL joined 
with other companies and associations two years ago to form the Online Privacy Al- 
liance (OPA), about which you will hear more this morning from another witness. 
And that’s why through NetCoalition, a group representing some of the largest and 
most active online companies, we recently sent a letter to 500 CEOs encouraging 
them to post good privacy policies on their Web sites that contain the key fair infor- 
mation principles, and to fully implement these policies within their companies. The 
progress that industry has made is real — one thing the FTC report clearly shows 
is that the proportion of commercial Web sites posting privacy policies has sky- 
rocketed in less than three years from less than 14% to over 90% — unbelievable 
progress for an industry that barely existed just a few years ago and which today 
is demonstrating the most rapid growth in the history of media. 

So where are we now? The FTC report concludes that, despite this progress, in- 
dustry hasn’t done enough, and that broad privacy legislation is necessary in order 
to ensure that consumers are protected. Does this mean that self-regulation is a fail- 
ure? What are we supposed to do next? 

As the Commerce Committee and other Congressional leaders begin to sift 
through the FTC’s recommendation and face the issue of whether to take action in 
this area, I would like to offer just a few thoughts on how you might approach an- 
swering these difficult questions: 

First, it is important that all of us in industry and government stop thinking 
about the privacy issue as a “zero sum game” — as self-regulation versus government 
regulation. Instead, we must remember that the crux of the issue is really consumer 
confidence, consumer protection, safety and security. And since all of us have the 
same end goal — to ensure that consumers trust the online medium — we do not need 
to set ourselves up as opponents in a privacy “battle.” Clearly the industry has an 
enormous incentive to make consumer protection a fundamental part of doing busi- 
ness, but there is also an important role for government in protecting consumers. 
One way to approach this joint responsibility is to allow the market to lead the way 
in developing up-to-date and innovative initiatives for protecting privacy, but let the 
government step up its enforcement activities. Indeed, the government’s existing en- 
forcement powers are greatly expanded simply by the proliferation of privacy poli- 
cies, now numbering 90 percent. This type of partnership allows for maximum flexi- 
bility and technological innovation, so that the “good guys” can set the stage for best 
practices while the “bad guys” pay the price for bad behavior. 

Second, it is critical that neither the government nor industry view privacy as a 
simple issue with a simple answer. On the contrary, when we as businesses ask our 
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consumers what it is they are most concerned about we get a variety of different 
answers: 

• For some consumers it is security rather than privacy that is the greatest con- 
cern. They care more about whether their credit cards can be safely “submitted” 
online than about whether their ISP will send them a tailored advertisement. 
In reality, the risks of identity theft may actually be greater in the offline world 
than in the online world, where fewer humans actually touch or handle an indi- 
vidual’s credit card, for example. Yet the prospect of personal information being 
compromised through hacking and theft is likely keeping many consumers from 
going online. This is certainly an area where the industry has every incentive 
to do the right thing but the government must make clear that bad behavior 
is not acceptable. 

• For other consumers, the primary concern relates to sensitive information like 
health and financial data. Individuals want to take advantage of online health- 
related services, for example, without worrying about embarrassing or compro- 
mising releases of their health information. For these types of information, in- 
dustry and government will need to determine what privacy standards need to 
be in place for particular businesses to succeed, and indeed Congress has al- 
ready addressed these issues through financial services legislation enacted last 
Congress and the Health Insurance Portability and Accountability Act of 1996, 
neither of which have yet been fully implemented. 

• Still another group of consumers is concerned about whether their online behav- 
ior is being “tracked.” Yet when the technologies behind such activity are ex- 
plained and consumers are able to understand that there are both positive and 
negative uses of these types of tools, it may turn out that consumers simply 
want to know what a particular Web site is doing so they can make their own 
decisions about how to use these services. 

Such examples underscore the intricacy of the privacy issue and the difficulty in 
pinpointing the actual problems that need to be addressed through industry or gov- 
ernment action. 

Unfortunately, the FTC’s recommendation for a sweeping regulatory regime for 
online privacy does not take into account either the complex dimensions of this issue 
or the need for an industry-government partnership on privacy. The Commission 
purports to recognize the important role that industry leadership on self-regulation 
plays in any privacy solution; yet the report recommends broad legislation that 
would provide “flexibility to the implementing agency in promulgating its rules or 
regulations . . . [that could] define . . . fair information practices with greater spec- 
ificity.” Such expansive regulatory authority could actually discourage industry-led 
initiatives and market-driven solutions by outlawing consumer-oriented methods of 
privacy protection and personalization. Furthermore, such sweeping legislation 
would not take into account all of the more targeted proposals that have either been 
enacted or are pending — from the new children’s privacy law, to rules for health and 
medical data, to financial privacy regulations. 

We at AOL would therefore ask the Members of this Committee to develop its 
policies in the privacy area with high regard for the benefits of personalization and 
the efficacy of industry action to date. You may find that there are gaps in industry 
enforcement where government must step in to ensure compliance. Nevertheless, it 
is clear that companies are responding to the increasing marketplace demand for 
online privacy, and that the tremendous growth of e-commerce reflects positive 
trends on a variety of consumer protection issues, including privacy. Sweeping regu- 
latory action could very likely curb such market innovation and competition and dis- 
courage creative and flexible approaches to privacy protection. 

The challenges that lie ahead will give us the chance to prove that industry and 
government can work together to promote online privacy. But ultimately, it is the 
consumer who will be the judge of whether these efforts are adequate. Because no 
matter how extraordinary the opportunities for electronic commerce may be, the 
marketplace will fail if we cannot meet consumers’ demands for privacy protection 
and gain their trust. 

We at AOL are committed to doing our part to protecting personal privacy online. 
Our customers demand it, and our business requires it — but most importantly, the 
growth and success of the online medium depend on it. We appreciate the oppor- 
tunity to discuss these important issues before the Committee, and look forward to 
continuing to work with you on other matters relating to the Internet and electronic 
commerce. 


The Chairman. Ms. Varney, welcome. 
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STATEMENT OF CHRISTINE VARNEY, SENIOR PARTNER, 

HOGAN AND HARTSON, ON BEHALF OF THE ONLINE 

PRIVACY ALLIANCE 

Ms. Varney. Thank you, Chairman. It is a pleasure to be here. 
Thank you for inviting me. Mindful of your admonition, I am just 
going to talk for a few minutes. I have got longer remarks that we 
have submitted for the record and I would like to address some of 
the issues that have been raised this morning. 

First of all, we can sit here all day and argue about numbers — 
88 percent, 60 percent, 40 percent, back out access, back out secu- 
rity, whatever. I think that it is fairly clear that there has been 
enormous progress. If you look over time, the increase in the num- 
bers of Web sites that are making some type of privacy disclosures, 
providing some types of choices, is going up. I think that is some- 
thing that this Congress can take a lot of credit for because they 
have shown a lot of leadership in working with the industry on it. 

The complexity that we get to, that Commissioner Anthony and 
others have mentioned, when you read these notice policies should 
not be underestimated. Both Yahoo and Doubleclick have very 
large, very complex businesses and, Chairman, both those compa- 
nies have been working very hard in the last month to completely 
revamp their privacy policies and make them easier to use, easier 
to read, and both those companies would like to come and talk to 
you, perhaps next week if you have time, to show you what they 
are planning on doing and get your feedback and your thoughts 
about it. 

The Chairman. I would be glad to do that. 

Ms. Varney. Thank you. 

If privacy policies, if notices are misleading, I think as Ms. Less- 
er said, the FTC has the authority. Maybe what they need is more 
resources. They ought to prosecute those people. To put a state- 
ment up that says we protect your privacy policy and somewhere 
in the statement say we do whatever we deem reasonable with 
your data and you do not get any choice about it, I think is decep- 
tive on its face and it ought to be prosecuted. 

Senator Kerry talked a lot 

The Chairman. Yahoo? Yahoo ought to be prosecuted? 

Ms. Varney. Well, Yahoo’s is not deceptive, Senator. Yahoo’s is 
complex. Yahoo is a very large company with an enormous Web 
site offering a wide array of services and products. When I read 
Yahoo’s privacy policy, what I think they tried to do was be com- 
pletely comprehensive, tell you everything. And it is not easy to 
read, they will agree with you. 

The Chairman. Why do you have to be comprehensive? Can you 
not just say, this information will be private? What is the com- 
prehensiveness? 

Ms. Varney. You may absolutely say, we will never disclose this 
information to anyone under any circumstances, if that is what you 
do. When you run a Web site where you have content provider 
partners, where you have chat rooms that you link to that are run 
by other companies, where you have ask-a-doctor questions, where 
you e-mail a doctor who does not work for a company but works 
for somebody else, that information is in fact going to someone else. 
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It might be clear to you, it might not be clear to you. But to say 
we never give your information to anyone under any circumstances 
is flat out deceptive, unless that is precisely what you do. I would 
submit to you, Senator, unless you are dealing with a very small 
Web site, that is not the case today. 

These Web sites, why are they so complex and comprehen- 
sive — 

The Chairman. So we need a how many sentence 

Ms. Varney. I think that what you see 

The Chairman. Ms. Varney, that is not appropriate. It is not ap- 
propriate for most Americans not to be able to understand a Web 
site’s privacy policy. 

Ms. Varney. I agree, I agree. 

The Chairman. Now, can you understand the Yahoo statement? 

Ms. Varney. I do not think that is a fair test, Senator. 

The Chairman. Well, we just had a university professor who 
could not. 

Ms. Varney. I will leave that one. 

I think that you are right, it is too complicated, and the compa- 
nies are really working on how to make it less complex. Why is it 
so complicated? Because they are big companies with lots of busi- 
ness units. They are publicly traded companies that face share- 
holder lawsuits if they are not completely accurate in every regard. 
That is not to say that they cannot do it better and that they 
should not and that they will. I think they all will, which goes to 
my next point. 

The Chairman. I apologize for interrupting you, by the way. 

Ms. Varney. Not at all. Always better to have an exchange, I 
think, a dialog than a monologue. 

What you have seen, what you have identified here this morning, 
I think is a real problem in making these notices easy to find, read, 
and understand. How do you do that? That is a problem we ought 
to address and perhaps ultimately it may need to be addressed leg- 
islatively. 

Do you need to delegate what I consider to be broad, sweeping 
regulatory authority to the FTC to do that? No. This Congress has 
not delegated to any Federal agency broad regulatory authority 
over the Internet and I do not think this is the time to start. 

Senator Kerry mentioned the financial data, data related to 
health and medical information, data related to kid-sensitive data. 
That may need a more complex regulatory scheme. In fact, as Ms. 
Lesser said, you passed the Financial Services Modernization Act. 
Now, we can argue about whether or not the privacy protections in 
that are adequate, but you passed it and it is just now going into 
effect. 

You passed the Health Insurance Portability and Accountability 
Act. Those regulations dealing with privacy are not even done yet. 
We need to look at them. We need to figure out if there is loop- 
holes. We have to give Americans the highest level of protection for 
their health and medical data. 

The kids law, the Children’s Online Privacy Protection Act, 
which this Committee birthed, has been wildly successful in my 
view, but it has had some unintended consequences, maybe not bad 
but unintended. Let us take a look and see where the gaps are. 
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The question I think is, whether it is 80 percent or 90 percent 
or 60 percent, how do you get this last mile to get every Web site 
that is collecting personal information to tell consumers in a 
straightforward way what they are doing and what their choices 
are? I do not believe the answer is delegating broad regulatory au- 
thority to the Federal Trade Commission at this time. 

Thank you, Senator. 

[The prepared statement of Ms. Varney follows:] 

Prepared Statement of Christine Varney, Senior Partner, Hogan and 
Hartson, on Behalf of the Online Privacy Alliance 

Mr. Chairman: 

Thank you very much for inviting me to testify this afternoon on behalf of the 
Online Privacy Alliance. My name is Christine Varney. I am a former Federal Trade 
Commissioner and am currently a partner at Hogan & Hartson where I chair the 
Internet Practice Group. In addition, I am an advisor to the Online Privacy Alli- 
ance — a coalition of over 100 industry and trade associations who came together two 
years ago to formulate and advocate for best privacy practices online. With your per- 
mission I have submitted for the record extensive descriptions of privacy practices 
developed by the Online Privacy Alliance that can be used for future reference. I 
would like to take a few minutes here to discuss the FTC’s report and the Commis- 
sion’s call for regulatory authority. 

First, let me congratulate and thank the Commission for their ongoing work in 
examining the issues of privacy in the information age. It was not that long ago 
when I was a Commissioner in 1995 and I was told by some of my colleagues, none 
of whom are still at the FTC, that privacy was not a consumer protection issue. I 
think we have all come to realize that privacy is the consumer protection issue of 
the information age. 

It is important to remember that the FTC’s study is not and cannot be considered 
an evaluation of the state of privacy on the Internet. The FTC’s analysis that only 
20 percent of Web sites comply with all four fair information practices, and there- 
fore, provide inadequate privacy is fundamentally flawed. As Commissioner Leary 
points out in his statement, the Commission’s own Internet privacy policy does not 
meet the Commission’s own test for an adequate privacy policy. In fact, in many 
many Web sites, both commercial and otherwise, some of the fair information prac- 
tice elements, such as choice, security, or access, may not be at all relevant. 

Let me give you a few examples as to when or why some of these criteria may 
not be relevant. If a site only uses your data only to complete a transaction, no 
choice is necessary. A site that does not disclose its security precautions doesn’t 
mean they don’t exist. Many experts testified in front of the Federal Trade Commis- 
sion’s Advisory Committee on Security and Access that security measures and pre- 
cautions should not be disclosed on Web sites as it can lead to increased attempts 
at unauthorized access. Finally, the FTC’s own Advisory Committee could not come 
to any agreement on what, if any, level of access is appropriate for non-sensitive 
data, under what circumstances, and at what costs. 

While the FTC report does provide metrics, it clearly does not nor should it be 
interpreted as evaluating the state of privacy on the Internet. Thus, I entirely dis- 
agree with the conclusion that privacy in cyberspace is woefully inadequate and that 
legislation is necessary to empower the Federal Trade Commission to regulate data 
practices in e-commerce. 

Two years ago, close to 10% of all Web sites posted some type of privacy policy 
or described their privacy practices in some way. Today that number is close to 90%. 
That is astonishing! Consumers are now better able than ever to determine whether 
a Web site’s data practices match their own preferences. The ability of consumers 
to make meaningful privacy choices likewise doesn’t guarantee privacy on the Net. 
We clearly need to do more work to make those choices clear and easy. 

When asked “do you care about your privacy?” an overwhelming 90% of Ameri- 
cans will respond that yes, they do. But when you push down on those numbers, 
what you find out is that Americans care deeply about the abuse and misuse of their 
personal financial information, personal medical or health information, and informa- 
tion about their children. Additionally, Americans are very concerned about identity 
theft and credit card fraud on the Internet. In each of these arenas, Congress has 
either already acted or the FTC already has sufficient authority to enforce existing 
law. You have dealt with collection of data, from or about children in the Children’s 
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Online Privacy Protection Act which went into effect just last month. Last year, you 
passed the Financial Services Modernization Act. While we may argue about the 
adequacy of the financial privacy protections in the Act, clearly the Congress has 
begun addressing financial privacy in that Bill and the FTC has, just last week, re- 
leased its regulations implementing that Act. The regulations implementing the 
Health Insurance Portability and Accountability Act are still being drafted. These 
regulations clearly address health and medical privacy. Credit card fraud and iden- 
tity theft are already illegal and should be prosecuted to the fullest extent. 

Thus, I believe the FTC’s conclusion that privacy on the Internet is inadequate 
is not supported by the facts in their report. That is not to say that we, industry 
and government, can’t do a better job empowering consumers to protect privacy on 
the Internet. What is needed, I believe, is a commitment by government and indus- 
try to continue the work started several years ago to make privacy policies easy to 
find, read and understand. To make the promise of meaningful choice and control 
over personal data real — whether through technology solutions like P3P, software 
solutions like Privida and Privaseek, enforcement actions under existing law, or fil- 
ing specific legal gaps. What we do not need are sweeping regulations governing the 
collection and use of data, the conditions and methods under which that data use 
can be consented to, the dimensions of access that must be provided to data and 
the level and design of web security. Rather, what I would suggest is that Congress 
continue its work with consumers and industry representatives in order to deter- 
mine how best to reach the last 10 percent of Internet sites that do not disclose 
their data practices and perhaps begin consideration of a means to create a coherent 
and simple standard for privacy disclosures across all Internet sites. Congress has 
wisely refrained from delegating to any agency enormous regulatory authority over 
the Internet. When Congress has seen a problem, it has specifically addressed the 
problem. If there is any problem with privacy for non-sensitive data on the Internet, 
it is the lack of ubiquity in the posting of privacy policies and inconsistent and often 
complicated disclosure statements. Neither of these problems is successfully ad- 
dressed through an enormous regulatory undertaking. Whatever solutions Congress, 
industry and consumers come to that will make privacy choices on the Internet 
ubiquitous, the solutions must be technology neutral, market driven, and hospitable 
to the online environment. 

Those who sit before you and talked about self-regulation as a failure and legisla- 
tion as the answer, or self-regulation as a panacea and legislation as repugnant, are 
in my view, clearly missing the point. The point in the information age has to be 
how can American consumers, whether they are consuming medical information, fi- 
nancial information, or other commercial information, protect themselves and their 
privacy desires. In some instances, there will be technological solutions. In some in- 
stances, there may be best practices, and in other instances, there may be loopholes 
in existing law that need to be closed or an absence of law altogether that must 
be filled. 

Too often the privacy debate has been polarized between those who wish to pro- 
hibit the use of personal information for any and all purposes, and those who wish 
to exploit the use of personal information for any and all purposes. Neither of these 
postures addresses the increasing concerns of Americans regarding the protection of 
their personal privacy while allowing for its beneficial use. Neither of these polar 
positions realizes that there are benefits and limits to the use of personal informa- 
tion. Neither of these positions frankly can bring a balanced economically viable and 
societally appropriate conclusion to the privacy debate. 

The Chairman. Thank you very much. 

Mr. Catlett, for the benefit of the Committee perhaps you could 
tell us what Junkbusters is about. 

STATEMENT OF JASON CATLETT, PRESIDENT AND CHIEF 
EXECUTIVE OFFICER, JUNKBUSTERS CORPORATION, AND 
VISITING SCHOLAR, COLUMBIA UNIVERSITY DEPARTMENT 
OF COMPUTER SCIENCE 

Mr. Catlett. I would be pleased to, Senator. Junkbusters is a 
Web site where people go for information about how to stop junk 
communications, such as junk e-mail, junk telemarketing calls, 
junk faxes, unwanted junk mail, and so forth. 
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The Chairman. It sounds to me like you are doing the Lord’s 
work, Mr. Catlett. 

[Laughter.] 

Mr. Catlett. Thank you, sir. 

Senattor Burns. Maybe we do not have to pass the spamming 
bill then? 

Mr. Catlett. I strongly recommend that you do pass something 
like H.R. 3113 without the provision of labeling. I think that is 
very much needed. 

There are those who say that technological solutions for, for ex- 
ample, filtering out junk e-mail will suffice. But I can tell you, after 
running this Web site for 4 years and publishing software to help 
people protect their privacy, publishing information about how to 
remove cookies, how to stop junk phone calls and so forth, I can 
tell you that technology is not going to stop the death of privacy 
in this country. 

Furthermore, self-regulation is also not alone or with technology 
going to stop the erosion of privacy. It is necessary to have laws 
that give individuals the right to protect their own interests. 

The Chairman. You do not believe that the FTC has existing au- 
thority? 

Mr. Catlett. I do not believe they have sufficient authority to 
require sites to, for example, stop selling your telephone number to 
telemarketers when you tell them if the site’s policy is stated as 
they will do that or they do not state that. There is nothing you 
can do, and we get e-mail at Junkbusters from harassed mothers 
in West Virginia who say, how can I get these telemarketers to 
stop calling me? 

Mere notice is not enough. The doctrine that all actions can be 
taken on the basis of fraud is simply mistaken, I think. 

There has been a lot of discussion about online and offline worlds 
and I would like to relate a little experience when I used to work 
at AT&T Bell Labs. I came here in 1992 to work on research on 
marketing and data bases. That work was governed by very strict 
laws about what could be done with people’s phone call records. 
Suppose that Congress had not passed those laws to protect the 
privacy of people when they use the phone system. 

Well, we would have a situation similar to what we have today 
on the Internet, where we are reading headlines about the terrible 
things that phone companies are doing. Instead of Doubleclick, it 
would be some company — I will fictionally call it Orwell Long Dis- 
tance — that is spying on the phone customers. 

For example, it might have speech recognition technology that 
listens to the key words that you speak in your phone conversa- 
tions with business and uses them to target more interesting tele- 
marketing calls to you. It might analyze the telephone numbers 
that you call, look them up in the Yellow Pages categories, and see 
what kind of categories of products you are interested in, and sell 
that information to cataloguers. 

Now, if they did that people would be outraged and it would be 
simply illegal. But analogous practices on the web are prevalent 
from companies such as Doubleclick. 

The Federal Trade Commission’s report has been criticized by 
some people as understating the amount of progress that has been 
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made. But if you look at the analysis of, say, Forrester Research, 
an independent industry analysis firm, they actually paint a much 
bleaker picture of the amount of privacy protection that has been 
provided by industry. Forrester called many of these policies a joke 
and said that they serve to protect the interests of the companies 
rather than consumers. The Electronic Privacy Information Center 
has also done a series of excellent reports that come to the same 
conclusion. 

So to my mind the FTC’s conclusion that legislation is necessary 
is absolutely unassailable. We need legislation. What kind of legis- 
lation is needed? Well, the Online Privacy Alliance’s four principles 
are not sufficient. Merely having notice, offering choice, some sort 
of weak access, and some sort of security is not enough. What is 
needed is in many cases to ask the consent of the person concerned 
before using his or her information. 

That is one of the great principles of the bill before you, the Con- 
sumer Privacy Protection Act. It furthermore establishes, would es- 
tablish, standing institutions that look to the privacy issue beyond 
the trade issue. Most importantly, it gives individuals a private 
right of action so that they can defend their own interests when 
their privacy is violated. 

My own major criticism of the bill is that it preempts State law. 
I think it is entirely proper to allow the States their traditional role 
of laboratories of legislative innovation. 

Privacy is a fundamental human right and Congress with this 
bill now has the opportunity to head off the demise of that right. 
It is really clear to me that, looking at the U.S. as someone who 
was not born here, that the world looks to the U.S. as a Nation 
that deeply respects human rights and individual liberties, and the 
citizens of this country do not have enough rights to defend their 
own privacy in cyberspace. 

So I think that you all bear a great responsibility for determining 
whether the United States’ leadership will extend into cyberspace 
and whether American citizens’ rights will be preserved into the 
twenty first century. 

Thank you. 

[The prepared statement of Mr. Catlett follows:] 

Prepared Statement of Jason Catlett, President and Chief Executive Offi- 
cer, JUNKBUSTERS CORPORATION, AND VISITING SCHOLAR, COLUMBIA UNIVERSITY 

Department of Computer Science 

My name is Jason Catlett, and I am President and CEO of Junkbusters Corp., 
a for-profit dot com company working to promote privacy. Pm very grateful to the 
Senate for this opportunity to discuss with you how to protect privacy in the Inter- 
net age. 

I came to this country from Australia eight years ago to join the computer science 
research staff at AT&T Bell Laboratories. Since I founded Junkbusters in 1996, the 
company has published advanced software and provided services and information to 
help people defend their own privacy. These resources have been used by hundreds 
of thousands of Americans. Based on feedback from people across this country, and 
my own investigations, I have been led to the conclusion that technical solutions to 
the challenges of privacy will not prevent the death of American privacy online. It 
is clear to me that legislation is appropriate and necessary to protect privacy on the 
Internet. 

My work in marketing and databases at AT&T Bell Labs was governed by strict 
laws to protect the privacy of telephone subscribers. The Internet still has few cor- 
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responding laws, so companies are engaging in practices that would be regarded as 
unacceptable and illegal on a phone network. 

Collectively, this commercial surveillance is having the tragically perverse con- 
sequence of scaring off consumers from the entire medium rather than attracting 
them to a particular site. The Harris/Business Week polls and many others since 
1998 have found that fear for privacy is a major or primary reason consumers give 
for not going online, and for not participating in e-commerce. Their 2000 poll 
showed a strong majority of Americans favoring new privacy legislation. Forrester 
Research, a highly regarded firm of technology analysts whose reputation has been 
built by providing accurate research and advice to companies, has harshly criticized 
the poor standards of privacy protection online, finding in September 1999 that 90 
percent of Web sites fail to comply with basic privacy principles. Forrester called 
most privacy policies “a joke” and concluded that “the vast majority of such policies, 
like those of the Gap, Macy’s and JC Penney, use vague terms and legalese that 
serve to protect companies and not individuals.” These are not the words of some 
bleeding heart privacy advocate, but of hard-nosed analysts working for a company 
whose long-term success heavily depends on understanding and promoting the 
growth of Internet commerce. In October 1999 Forrester published a report finding 
that “Nearly 90% of online consumers want the right to control how their personal 
information is used after it is collected. This desire for online anonymity cuts across 
consumers from a broad range of demographic backgrounds, including gender, in- 
come, and age. Surprisingly, these concerns change very little as consumers spend 
more time online.” It is not ignorance that is causing Americans to worry. It is a 
rational assessment of the lack of control over their personal information, and the 
paucity of recourse available to them if it is misused. 

This privacy problem will not go away by itself because the economic incentives 
of individual companies work against it. As an example, providing customers with 
an opt-out from a list of phone numbers being sold to telemarketers means both for- 
going future revenue and incurring a capital cost to set up an opt-out system. Com- 
panies can ill afford to unilaterally jump ahead of their competitors, even though 
the sums of money are minor compared to the increase in participation that would 
result from a market where privacy rights are widely respected. The idea that con- 
sumer demand will force companies to offer privacy protections is naive and simply 
not supported by empirical evidence in surveys. What company is going to produce 
advertising copy like the following? “Buy books from us and we will give you a 
choice in whether we sell your phone number to telemarketers.” As Commissioner 
Anthony wisely observed in a statement Monday, legislation of the kind rec- 
ommended by the FTC “would reward those sites that have offered real privacy pro- 
tections and require all others to meet basic privacy standard.” 

We are facing a tremendous loss of both economic opportunity, and of our funda- 
mental human right to privacy. The only way to stop this tragedy is to require all 
companies to respect the privacy of their customers and prospects. And that is an 
entirely proper thing for the federal government to do. 

On the Internet this loss is particularly acute, but is obscured by technical com- 
plexity. Let me describe one example by analogy. 

Online advertisers build up profiles based on where people go, what they look for, 
and how they behave on the Net. Imagine if Congress had not passed laws to pro- 
tect the privacy of telephone users. The headlines would be full of the kind of pri- 
vacy horror stories we see today about the Internet. We might see a telco that I 
will fictionally name Orwell Long Distance using speech-recognition technology to 
spot keywords in your conversations with businesses in order to target you with 
more interesting telemarketing calls. OLD might look up the yellow pages categories 
of the numbers you frequently call, and sell that information to junk mailers to de- 
cide the kinds of catalogs you’re less likely to throw away. This sounds absurd to 
us now, but on the Web, equivalent practices abound, unrestrained. 

Banner ad companies get to see the specific Web pages people visit, plus the key- 
words they type into search engines and other forms. They track individual PCs 
using unique identifiers called “cookies” placed on Web browsers. Most people 
haven’t heard these companies’ names, but some of them have started identifying 
people by name. Large profiles that were previously gathered with just an anony- 
mous identifier are being linked to a street address, and phone number, and e-mail 
address. 

If Orwell Long Distance were unencumbered by present phone privacy laws, its 
lobbyists would be telling Congress that any attempt to restrict the free flow of in- 
formation on the international phone system would be futile, and could result in the 
collapse of toll-free ordering. But you would wisely dismiss that claim and judge 
that the greater economic good requires that people have confidence that their pri- 
vacy is protected by law when they do business by phone. 
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It would be silly to expect consumers to defend themselves from Orwell Long Dis- 
tance by using their own voice scramblers and payphones, or indeed technology from 
OLD itself. Suppose OLD designed a device that could be held up as a technological 
solution to the privacy concerns of phone subscribers. The result might be rather 
like a caller ID box, but in addition to displaying to the name and number of the 
calling party, it would indicate the degree of privacy being offered by the various 
carriers involved in the call. The called party would then supposedly be given 
“choice” on whether to pick up and speak to her mother for example, or have her 
call automatically rejected because it doesn’t meet her daughter’s privacy “pref- 
erences.” This scheme would not protect privacy on the phone, and its Internet 
equivalent, P3P, will not protect privacy online. 

What people need are simple, predictable standards, not more complexity, just as 
businesses need simple predictable copyrights. Both privacy and copyright law ac- 
commodate more complex arrangements whenever needed, with the consent of the 
parties involved. 

The comparison with copyright is useful in dismissing many commonly-heard ob- 
jections to privacy legislation. “We mustn’t impede the free flow of information, so 
privacy/copyright laws are bad.” On the contrary, such laws promote participation 
in the information economy, by protecting the rights of the participants. “The Inter- 
net is international, so privacy/copyright laws are useless.” On the contrary, that 
is no reason to permit domestic abuses, and international treaties can be developed. 
“Technology changes quickly, so copyright/privacy laws are useless.” On the con- 
trary, such laws should be technology-independent; it is the data that needs pro- 
tecting, not the means of transmission. “It’s impossible to enforce copyright/privacy 
laws completely, so we shouldn’t have them.” Of course incidental violations will 
occur, but organizations will not base their businesses on piracy/privacy violation, 
or at least not for long. 

Finally, imagine if Recording Industry Association of America were assessing the 
results of a fictional survey by the Department of Commerce showing that more 
than 80% of U.S. households do not infringe music copyrights, and concluding that 
copyright law should therefore be repealed. Preposterous, the RIAA would say. Even 
95% of households respecting copyright would still leave 5% free to infringe copy- 
rights. We must have a law. Won’t new technology for preventing the unauthorized 
duplication of CDs provide the answer, a lobbyist against one-size-fits-all legislation 
might ask? No, the RIAA would say. We need a law, and we need substantial crimi- 
nal and civil penalties. The Digital Millennium Copyright Act of 1998 was 
Congress’s response to this issue. 

In general, information technology produces many more opportunities for enabling 
undesired uses of information than it does for preventing it. As someone who has 
personally designed, coded, documented and published privacy-enhancing software, 
I would be the last to try to impede such technologies. The argument by some lobby- 
ists that legislation would dampen technological innovation to protect privacy is spe- 
cious. On the contrary, legislation would give companies an incentive to adopt tech- 
nologies that promote privacy. Services for assuring anonymity become more valu- 
able in a world where data protection is required, because anonymity is an infallible 
way of obviating the misuse of personal information. 

The Report and Recommendation of the Federal Trade Commission 

The FTC’s report has been criticized by some trade associations as understating 
the level of privacy protection being provided by major Internet sites. I believe ex- 
actly the opposite is the case. Three years of surveys by the Electronic Privacy Infor- 
mation Center plus Forrester’s assessment in September provide far stronger evi- 
dence that the average site provides substandard privacy. As an illustration, take 
the issue of access by consumers to information collected about them. The Online 
Privacy Alliance’s spokesperson Christine Varney said in a press release Tuesday 
that “There is no agreed-upon standard for access, so how can the FTC measure it?” 
They can’t. The answer was on page 23 of the FTC’s report: “With respect to Access, 
a site received credit if it offers the ability to review, correct, or delete at least one 
item of personal information it has collected — oftentimes simply an opportunity to 
update an e-mail address — without regard to what other information a site may 
have actually collected or compiled.” Plainly the FTC can measure access, and they 
did. It is significant that the FTC were very easy graders, and yet most sites still 
failed. As to the consumer’s view of access, a study in April 1999 by AT&T Labora- 
tories asked respondents about “importance of whether the site will allow me to find 
out what info about me they keep in their databases.” 57% replied saying it was 
very important, 27% somewhat important, 4.2% not important, with the rest not re- 
sponding. The FTC’s conclusion that legislation is needed to improve consumer con- 
fidence in a world where most sites are not providing sufficient privacy is simply 
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unassailable. What is remarkable is that the majority of Commissioners waited so 
long before recommending legislation. 

The four privacy principles of the Online Privacy Alliance and the FTC (namely 
notice, choice, access and security) are necessary but not sufficient to adequately 
protect privacy. Orwell Long Distance, for example, would post a privacy policy (no- 
tice), offer an 800 number where people can opt out of surveillance (choice), let con- 
sumers fill out their own change-of-address forms (access), and deliver all its lists 
to telemarketers encrypted (security). Missing are affirmative consent and purpose 
specificity: not using information gathered for one purpose (to complete the phone 
call) for another purpose (to give to telemarketers) without gaining affirmative per- 
mission. These are among the principles endorsed the OECD in 1980 and used as 
the basis of privacy laws in most developed countries, including recently Canada. 

The Consumer Privacy Protection Act of 2000 

The Consumer Privacy Protection Act from Senator Hollings and his colleagues 
is a landmark work, making giant strides towards the wide application of all these 
principles, across technologies and across market sectors, within a legal framework 
that will really protect privacy in this country. 

The CPPA addresses the problem that privacy policies have become “moving tar- 
gets” that are constantly subject to change. Requiring consent for material changes 
in use an important part of the principle of purpose specificity. In line with this 
goal, the requirement for notice might be waived when the policy change merely 
narrows the purposes to which information is put, rather than widening them. 

The CPPA moves toward addressing the urgent need for standing institutions 
that consider privacy and security policy issues not merely in the context of com- 
merce, but also of government, society and human rights. 

Very importantly, the bill provides a private right of action, which is essential if 
people are to have the means to protect their own interests. Some, but not all en- 
forcement power should vest in agencies such as the FTC. Experience with the Tele- 
phone Consumer Protection Act of 1991 dispels the scare mongering claim that a 
vast government bureaucracy would be needed to curtail privacy violations. The 
FTC has restricted its enforcement actions to cases of fraud (which are indeed wide- 
spread and severe in that industry). State Attorneys General occasionally take ac- 
tion. But it is the precious few individuals who file suit in small claims court that 
have done the most to discourage the telemarketing industry from routinely vio- 
lating the law. 

Finally, to allow further progress, federal laws should not preempt state law. A 
good federal law that allows state Attorneys General sufficient enforcement powers 
will reduce the need for new state-specific legislation, but the states should not be 
deprived of their traditional role as laboratories of legislative innovation. 

Congress now has before it a comprehensive proposal to head off the demise of 
privacy in this country. It is time for each member of Congress to decide whether 
the right to privacy is worth defending, or whether it should be allowed to lapse 
into a 20th century memory. 

Throughout this nation’s history, the world has looked to the United States as a 
bastion of liberty, and to its elected governments as defenders of individual rights. 
Congress now bears a great responsibility for determining whether that leadership 
will extend into cyberspace, and whether the American citizen’s right to privacy — 
a fundamental liberty — will endure into the 21st century. 

I appreciate the opportunity to speak before you today. I would be pleased to an- 
swer your questions. 

[A list of references is available at http://www.junkbusters.com/testimony.html 
on the Web.] 

The Chairman. Thank you, Mr. Catlett. 

Mr. Berman. 

STATEMENT OF JERRY BERMAN, EXECUTIVE DIRECTOR, 
CENTER FOR DEMOCRACY AND TECHNOLOGY 

Mr. Berman. Thank you, Mr. Chairman and Members of the 
Committee. It is a privilege to be here. 

My organization is a civil liberties organization, but also an 
Internet policy organization, and we are trying to maximize the 
democratic potential of the Internet to build a bill of rights in 
cyberspace. We have worked with all of you on different issues af- 
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fecting the Internet, whether it is objectionable content and inde- 
cency and how to protect the rights of adults versus how to protect 
our children, encryption, communications privacy, and here data 
privacy. 

In every one of those areas we have recognized that the Internet 
is a different paradigm, it is global, it is decentralized, and that we 
need to focus in every one of those areas on empowering users and 
caretakers to protect their rights. That is the thrust of every model 
piece of legislation. 

There is consensus between Senator Burns’ effort with Senator 
Wyden a year ago, and the Boucher and Goodlatte effort that some- 
thing needs to be done. All four chairs of the Internet Caucus who 
share that vision of the Internet are supporting privacy legislation. 

It is very important to understand that none of that legislation 
is saying government takes over the Internet. All the thrust of that 
legislation is to empower users to protect their rights on the Inter- 
net. And users cannot protect their rights if they have a crazy quilt 
of notice and obfuscation on the net where they do not know what 
the information policies are of those nets, of those Web sites, and 
they cannot exercise the right to choose or opt-in or opt-out of par- 
ticular practices, and there has to be flexibility in that area. 

The legislation I see that has been introduced not only provides 
that baseline information, that information will not be provided by 
100 percent of the sites until Congress acts, because everyone can 
be a publisher on the Internet. There are so many net sites that 
do not know that privacy is even an issue. It is not the last mile, 
as Christine Varney says, because if Yahoo does not know what no- 
tice is required and they may be suffering from a potential prosecu- 
tion over their eight pages, what about the little Web site? 

Is it not important for the government to set some standard so 
that people on the Internet, the Web sites and consumers, know 
where they are? That is the key part of this legislation. 

You do not have to rely on the heavy hand of government, par- 
ticularly in trying to figure out on the web what notice means. You 
can also rely on self-enforcement and some of the web, TrustE and 
BBBOnLine, they can become safe harbors under the legislation. 
But to move it from 8 percent takeup by the industry to 100 per- 
cent is going to require some push that they know that is a safe 
harbor, and only Congress can do that. 

If Congress does not act in this area, you are facing 270 bills in 
the States, and we have recognized in many areas that a crazy 
quilt of State laws is counterproductive, a burden on the Internet, 
a burden on commerce, a burden on speech, and not in the interest 
of the Internet. 

I think that the companies like AOL and IBM and Microsoft and 
others that we have worked with on their online privacy guidelines 
have done a terrific job and they have moved forward and they 
should be commended for it. But they cannot bear the burden and 
they do not have the resources or the time to drag the other Web 
sites along or to subsidize them or to pick them up. That is a role 
for government, and it is balancing and making their practices the 
best practices as part of legislation which will build legislation 
which maps onto the decentralized Internet and preserves and pro- 
tects and enhances the values that we share. 
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Thank you. 

[The prepared statement of Mr. Berman follows:] 

Prepared Statement of Jerry Berman, Executive Director, Center for 
Democracy and Technology 

Mr. Chairman and members of the Committee, the Center for Democracy & Tech- 
nology (CDT) is pleased to have this opportunity to speak to you about the impor- 
tant subject of privacy on the Internet. CDT is a non-profit, public interest organiza- 
tion that is dedicated to developing and implementing public policies to protect civil 
liberties and democratic values on the Internet. CDT has been at the forefront of 
efforts to establish and protect the very high level of constitutional protection that 
speech on the Internet has been afforded by the United States Supreme Court in 
the Reno v. ACLU 1 decision, and to develop sound public policies and technical solu- 
tions to protect individual privacy. 

Mr. Chairman, the Internet is at a critical junction in its evolution. Although as 
a popular mass medium the Internet is less than ten years old, it is already enter- 
ing into a period of significant transformations. Ensuring privacy on the Internet 
requires a multi-faceted approach that draws upon the strengths of technology, self- 
regulation, and legislation to deliver to the American public the ability to exercise 
control over their personal information. 

I wish to emphasize four key points this morning: 

• Privacy is not a partisan issue. Privacy is a deeply held American value. It is 
broadly supported by the American public and has frequently been the subject 
of bi-partisan legislative efforts. 

• Privacy and the Internet are ill served by a crazy quilt of standards. Consist- 
ency is critical to consumers, businesses, and the character of the Internet. In 
an environment where everyone is a publisher and a business it is impossible 
to develop a consistent standard for privacy without legislation. While self-regu- 
latory efforts, auditing, and self-enforcement schemes work for some businesses, 
on its own it will result in an inconsistent framework of privacy protection. 

• Industry leaders should not ignore or carry bad actors or outliers, but rather 
participate in a system of self-regulation and legislation that ensures a level 
playing field and predictable standards. Industry leaders would be ill advised 
to ignore the cost to privacy of bad actors and newcomers. Bad actors will not 
self-regulate: the clueless or new on the scene may not have the resources or 
wherewithall to participate in regulating their own behavior. Law is critical to 
spreading the word and ensuring widespread compliance with fair, privacy pro- 
tective standards. By building a system of self-regulation and legislation we can 
create a framework of privacy and instill consumer trust. 

• Legislation can and should support self-regulation and technical developments. 
The tired debate over self-regulation versus legislation does not serve our mu- 
tual interest in privacy protection. It is our collective task to develop a legisla- 
tive privacy proposal that fosters the best industry has to offer through self-en- 
forcement and privacy enhancing tools. Realizing privacy on the Internet de- 
mands that we develop a cohesive framework that builds upon the best all three 
of these important tools offer. 


I. Privacy 

The critical starting point on the privacy questions is the current state of privacy 
(and citizens’ expectations of privacy) and the ways in which the evolution of the 
Internet may threaten privacy principles. 

CDT believes that a key privacy consideration should be individuals’ long-held ex- 
pectations of autonomy, fairness, and confidentiality, and policy efforts should en- 
sure that those expectations are respected online as well as offline . 2 These expecta- 
tions exist vis-a-vis both the public and the private sectors. By autonomy, we mean 
the individual’s ability to browse, seek out information, and engage in a range of 
activities without being monitored and identified. Fairness requires policies that 
provide individuals with control over information that they provide to the govern- 


1 American Civil Liberties Union v. Reno, 929 F. Supp. 824, 844 (E.D. Pa. 1996), affd, Reno 
v. American Civil Liberties Union, 521 U.S. 844 (1997). 

2 For a fuller exploration of these issues see, e.g., Testimony of Deirdre Mulligan, Staff Coun- 
sel of the Center For Democracy & Technology, Before the Subcommittee on Communications 
of the Senate Committee on Commerce, Science, and Transportation, July 27, 1999. 
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ment and the private sector. In terms of confidentiality, we need to continue to en- 
sure strong protection for e-mail and other electronic communications. 

As it is evolving, the Internet poses both challenges and opportunities to pro- 
tecting privacy. The Internet accelerates the trend toward increased information col- 
lection that is already evident in our offline world. The trail of transactional data 
left behind as individuals’ use the Internet is a rich source of information about 
their habits of association, speech, and commerce. When aggregated, these digital 
fingerprints could reveal a great deal about an individual’s life. The global flow of 
personal communications and information coupled with the Internet’s distributed 
architecture presents challenges for the protection of privacy. 

II. The Expectation of Fairness and Control Over Personal Information: 

What the FTC’s Report Reveals 

When individuals provide information to a doctor, a merchant, or a bank, they ex- 
pect that those professionals/companies will collect only information necessary to 
perform the service and use it only for that purpose. The doctor will use it to tend 
to their health, the merchant will use it to process the bill and ship the product, 
and the bank will use it to manage their account — end of story. Unfortunately, cur- 
rent practices, both offline and online, foil this expectation of privacy. Much of the 
concern with privacy in electronic commerce stems from a lack of robust privacy 
rules in various sectors of the economy, such as financial and health, that handle 
a treasure trove of sensitive information on individuals. Whether it is medical infor- 
mation, or a record of a book purchased at the bookstore, or information left behind 
during a Web site visit, information is routinely collected without the individual’s 
knowledge and used for a variety of other purposes without the individual’s knowl- 
edge — let alone consent. 

The online environment facilitates the collection of information about consumers 
that offline entities can only dream of. To paraphrase Chairman Pitofsky, “Not only 
do they know I ordered the steak, but they know I considered the salmon and how 
long it took me to make up my mind.” Recent months have witnessed detail reports, 
investigations, and law suits about the surreptitious collection of personal informa- 
tion by businesses — some completely unknown and invisible to the consumer. From 
network advertisers to fraud detection systems, profiling Web site visitors is routine. 
Using a mix of “cookies,” “web bugs,” and other monitoring techniques consumers 
are routinely being watched, their activities assessed, and their experience of the 
Internet altered. 

The FTC report released on Monday is the third study to assess the state of pri- 
vacy on the World Wide Web. This year’s report is by far the most comprehensive 
study of consumer privacy online. Not only did the FTC tally raw numbers, but also, 
finally, the FTC explored the important question of whether improved numbers 
equal improved privacy for consumers. The good news is that progress, in terms of 
sheer numbers, continues. The disappointing news is that the sum is less than the 
parts. 

• The head count is improving. 

The constant call by industry, the FTC, and consumers for privacy policies has 
been heeded. Today, consumers are more likely than not to find a privacy statement 
of some sort at Web sites. The number of sites sporting a “privacy policy” — a com- 
prehensive description of a Web site’s information practices that is located in one 
place — has risen from 2% in 1998 to 62% in 2000. Similarly, more Web sites are 
providing consumers with some information about how they use information (re- 
ferred to as “information practice statement” or “privacy disclosure”). In 1998 only 
14% of surveyed sites made any statement about their use of personal information. 
This year 79% of the surveyed sites posted at least one information practice state- 
ment. While progress was more modest in other areas, every area witnessed some 
improvement over previous years. 

• Notice, choice, access, and security remain the exception not the rule. 

While progress continues, the Web has not witnessed the widespread implementa- 
tion of the Fair Information Practice principles of notice, choice, access, and secu- 
rity. (The principles are set forth in detail in Appendix A.) While the number of sites 
meeting this standard has doubled — from 10% in 1999 to 20% in 2000 — the number 
represents a small portion of total Web sites. It is troubling to note that even at 
those sites that sport a privacy seal from a self-regulatory program adherence to 
these four fair information practices hovers at 52%. And of the sites surveyed, 8% 
participate in a seal program — leaving the critical area of self-regulatory enforce- 
ment unsettled. 
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• A lack of clear rules has led to the proliferation of confusing privacy no- 
tices that are beyond the reading comprehension skills of the majority of 

the American public. 

This year the FTC delved into the difficult realm of substantive analysis of pri- 
vacy policies. What they found mirrors CDT’s experience — and based on reports and 
e-mail those of consumers as well. (Appendix B* includes several examples of Web 
site privacy policies that contain confusing and contradictory statements.) Privacy 
policies can be exceedingly difficult to decipher. Several articles have documented 
the difficulties faced by consumers seeking to understand the protections a Web site 
affords them by reading privacy policies. 3 As Chairman Pitofsky stated in a recent 
USATODAY.com story, “Some sites bury your rights in a long page of legal jargon 
so it’s hard to find them and hard to understand them once you find them. Self- 
regulation that creates opt-out rights that cannot be found (or) understood is really 
not an acceptable form of consumer protection.” 4 

While some sites may be actively attempting to confuse consumers — for example 
CDT identified several privacy policies that use common terms in a misleading fash- 
ion and others that contain contradictory statements. In general, we believe that 
Web sites are in the unenviable position of trying to assuage legitimate public con- 
cern with privacy and ensure their attorneys that in doing so they will not uninten- 
tionally create a liability disaster. The rock and the hard place that many Web sites 
find themselves in creates a tendency toward legalese, over and under disclosure, 
and hedging. When doing the right thing creates liability that those who sit still 
don’t face, notices resemble legal disclaimers rather than vehicles for consumer edu- 
cation and empowerment. 

Regardless of the intent, consumers interests are ill served by policies that are 
written in complex, vague language. Guidelines on the essential elements for inclu- 
sion in a notice would help both consumers and businesses. It would likely result 
in shorter more direct statements for consumers, and, for businesses, it would take 
some of the risk out of the process of writing a privacy policy notice. 

• Surreptitious data collection techniques continue to grow. 

Over the past twelve months privacy concerns surrounding the use of technology 
to track and profile individuals has taken center stage. From the joint FTC and De- 
partment of Commerce workshop on Online Profiling, to the massive online con- 
sumer protest of Doubleclick’s withdrawn proposal to tie online profiles to individ- 
uals’ offline identities, to the private lawsuits against Realnetworks, to State Attor- 
neys’ General actions against Doubleclick — it is clear that policy-makers and the 
public are concerned with the use of technology to undermine privacy expectations. 

There is reason for concern. Third-party cookies, as the FTC Web sweep reports, 
are routinely found at commercial Web sites. In fact, consumers visiting 78% of the 
100 most popular Web sites will be confronted with cookies from entities other than 
the Web site. While the growth of third-party cookies continues, less than 51% of 
the top 100 sites that set third-party cookies tell consumers about this practice. 

Similarly, the use of “web bugs” or clear gifs — invisible tags that Internet mar- 
keting companies use to track the travels of Internet users — has grown exponen- 
tially over the past year. Richard Smith, a well-known computer security expert, in 
his presentation to the Congressional Privacy Caucus stated that in January 2000 
approximately 2000 “web bugs” were in use on the Web (according to a search using 
Alta vista), but in just 5 months that number multiplied ten-fold to 27, 000. 5 While 
the FTC did not look for “web bugs” or for statements about them, it is unlikely 
that Web sites are telling consumers about this new tracking device. 

III. Bringing Privacy to the Internet 

Privacy as discussed above is a complex concept. It encompasses our right to with- 
hold information, our interest in maintaining confidences in information we will- 
ingly choose to disclose, as well as our right to walk — or surf — the streets without 
having every step captured, analyzed and tied to our identity forevermore. Pro- 
tecting these three interests — autonomy, fairness, and confidentiality requires a 


* Appendix B has been retained in the Committee files. 

3 See, Will Rodger, “Privacy isn’t public knowledge: Online policies spread confusion with legal 
jargon,” USATODAY.com, May 1, 2000 <http://www.usatoday.com/life/cyber/tech/cth818.htm>; 
The Industry Standard, March 13, 2000, at 208-9. 

4 Will Rodger, “Privacy isn’t public knowledge: Online policies spread confusion with legal jar- 
gon,” USATODAY.com, May 1, 2000. <http://www.usatoday.com/life/cyber/tech/cth818.htm> 

5 Richard M. Smith, Statement at the Congressional Privacy Caucus briefing, May 18, 2000. 
See, http: / / www.tiac.net / users / smith for additional information on “web bugs” and other pri- 
vacy and security issues. 
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wise use of resources in the public and private sector. Of utmost importance it de- 
mands that we empower individuals with the information, tools, and protections 
necessary to exercise meaningful control over their personal information. To deliver 
privacy we must build a program of self-regulation and legislation, and support the 
widespread deployment of privacy enhancing technology. 

A. Enforceable Fair Information Practices are Essential in the Online 
Marketplace 

The Federal Trade Commission’s latest report confirmed what advocates, industry 
representatives and the public knew: privacy on the Internet is far from a reality. 
The Federal Trade Commission’s five year focus on privacy has raised the level of 
attention and concern, but has not delivered anything close to comprehensive com- 
pliance by businesses operating online. Despite commendable efforts such as BBB 
Online and TrustE, judged by the full set of agreed upon privacy principles the over- 
whelming majority of Web sites have not delivered privacy to the marketplace. 

Numerous surveys have documented the public’s overwhelming concern with pri- 
vacy online. Many responsible industry actors are engaged in efforts to craft privacy 
rules; unfortunately many other companies have yet to take the actions necessary 
to protect privacy. We have the opportunity to develop privacy rules that establish 
strong protections for individuals, a fair baseline for a competitive marketplace, and 
a framework of trust for electronic commerce. Embedding these rules in federal leg- 
islation will not be easy, but it can, and ultimately must, be done. 

If Congress fails to act on the FTC’s recommendation, there is no doubt that the 
states will fill the gap. At last count over 200 privacy bills were introduced at the 
state level. While many do not directly deal with online privacy, several do. The 
states have become increasingly active in protecting consumer privacy and if left 
with a vacuum it is likely that they will step in. A strong federal law is in the inter- 
est of consumers, industry and the Internet. If the rules provide strong protections 
for privacy, consumers and businesses would both benefit from the certainty that 
a federal approach affords. In addition, the borderless nature of communication and 
commerce on the Internet is best approached with common rules. A patchwork of 
inconsistent and conflicting standards could increase consumer confusion, burden 
businesses, and interfere with the relatively seamless operation of the Internet. 

B. Delivering on Technology’s Promise: Ubiquitously Available, Tools that 

Empower Consumers to Make Real-Time, Flexible Decisions About 
Their Personal Information. 

1. Technology is critical to consumer privacy on the Internet. 

The specifications, standards, and technical protocols that support the operation 
of the Internet offer a new way to implement policy decisions. By building privacy 
into the architecture of the Internet, we have the opportunity to advance public poli- 
cies in a manner that scales with the global and decentralized character of the net- 
work. As Larry Lessig repeatedly reminds us, “(computer) code is law.” 

Accordingly, we must promote specifications, standards and products that protect 
privacy. A privacy-enhancing architecture must incorporate, in its design and func- 
tion, individuals’ expectations of privacy. For example, a privacy-protective architec- 
ture would provide individuals the ability to “walk” through the digital world, 
browse, and even purchase without disclosing information about their identity, 
thereby preserving their autonomy and ensuring the expectations of privacy. A pri- 
vacy-protective architecture would enable individuals to control when, how, and to 
whom personal information is revealed. It would also provide individuals with the 
ability to exercise control over how information once disclosed is subsequently used. 
Finally, a privacy-protective Internet architecture would provide individuals with 
assurance that communications and data will be technically protected from prying 
eyes. 

While there is much work to be done in designing a privacy-enhancing architec- 
ture, some substantial steps toward privacy protection have occurred. Positive steps 
to leverage the power of technology to protect privacy can be witnessed in tools like 
the Anonymizer, Crowds, and Onion Routing, which shield individuals’ identity dur- 
ing online interactions, and encryption tools such as Pretty Good Privacy that allow 
individuals to protect their private communications during transit. 

The World Wide Web Consortium’s Platform for Privacy Preferences (“P3P”) is 
also a promising development. The P3P specification will allow individuals to query 
Web sites for their policies on handling personal information and to allow Web sites 
to easily respond. While P3P does not drive the specific practices, it is a standard 
designed to promote openness about information practices, to encourage Web sites 
to post privacy policies, and to provide individuals with a simple, automated method 
to make informed decisions. Through settings on their Web browsers, or through 
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other software programs, users will be able to exercise greater control over the use 
of their personal information. 

An important milestone is June 21. On that day, major Internet companies will 
offer the first public demonstration of a new generation of Web-browsing software 
based on P3P, designed to give users more control over their personal information 
online. We are hopeful that P3P products will provide consumers with increased 
control over their personal information. Technologies must be a central part of our 
privacy protection framework, for they can provide protection across the global and 
decentralized Internet where law or self-regulation alone may prove insufficient. 

2. Tools must reflect the diversity of consumers’ privacy needs. 

Privacy is not the same as secrecy. Tools must support individuals’ needs to shield 
their identity, reveal certain information to a limited set of entities, ensure informa- 
tion is not compromised in transit, and protect information stored on their own com- 
puter. While tools are coming to market that reflect consumers’ varied needs for pri- 
vacy, there is much work to be done. 

The Internet Engineering Task Force (IETF) is undertaking a critical privacy ef- 
fort. IETF is working on two standards that would create new guidelines for the 
appropriate use of cookies. While cookies are helpful for Web sites looking to main- 
tain relationships with visitors, they have been implemented in ways that give users 
very little control and have been used by some to subvert consumers’ privacy. On 
most browsers, users are given only the option to either accept or reject all cookies 
or to be repeatedly bombarded with messages asking if it is OK to place a cookie. 

The IETF is considering two complementary “Internet drafts” that would encour- 
age software makers to design cookies in ways that give users more control. These 
drafts lay out guidelines for the use of cookies, suggesting that programmers should 
make sure that: 

• the user is aware that a cookies is being maintained and consents to it, 

• the user has the ability to delete cookies associated with a Web visit at any 
time, 

• the information obtained through the cookie about the user is not disclosed to 
other parties without the user’s explicit consent, and 

• cookie information itself cannot contain sensitive information and cannot be 
used to obtain sensitive information that is not otherwise available to an eaves- 
dropper. 

The drafts say that cookies should not be used to leak information to third parties 
nor as a means of authentication. Both are common practices today. The IETF is 
expected to make its decision to move forward with these, and perhaps other cookie 
specifications, before the end of the summer and will invite public comments at that 
time. 6 

The recent report of the Federal Trade Commission’s Advisory Committee on On- 
line Access and Security recommended that steps be taken to improve security. The 
Committee’s report highlighted the need for Internet businesses to develop robust 
security practices that protect data from both internal and external threats and pro- 
tect customer data during both transit and storage. Specifically the Advisory Com- 
mittee recommended that: 

• Each commercial Web site should maintain a security program that applies to 
personal data it holds. 

• The elements of the security program should be specified (e.g., risk assessment, 
planning and implementation, internal reviews, training, reassessment). 

• The security program should be appropriate to the circumstances. This stand- 
ard, which must be defined case by case, is sufficiently flexible to take into ac- 
count changing security needs over time as well as the particular circumstances 
of the Web site — including the risks it faces, the costs of protection, and the 
data it must protect. 

It is critically important that standard setting bodies support the development of 
privacy enhancing technologies and robust security standards. It is equally impor- 
tant that businesses bring these important developments to the mainstream market 
in products that are accessible and user-friendly for individual consumers and the 
myriad of small shop-keepers establishing Web sites. 


6 The draft can be found at: http://www.ietf.org/internet-drafts/draft-iesg-http-cookies-03.txt 
and http://www.ietf.org/intemet-drafts/draft-ietf-http-state-man-mec-12.txt. 



75 


3. Tools must be widely available and easy to use. 

In the area of child protection, industry and the public interest community have 
collaborated on efforts to bring tools and information to consumers through common 
resources, educational campaigns and other efforts. Similarly, privacy enhancing 
tools must be widely deployed if they are to truly benefit all consumers. While expe- 
rienced Internet users may avail themselves of today’s tools, it is unlikely that new- 
comers can find them, let alone use them effectively. As privacy enhancing tech- 
nologies come to market ensuring their wide-spread availability and use should be 
a priority. 

IV. Conclusion: Protecting Privacy on the Internet Requires a Multi- 
pronged Approach that Involves Self-regulation, Technology, and 

Legislation. 

On self-regulation, we must continue to press the Internet industry to adopt pri- 
vacy policies and practices, such as notice, consent mechanisms, and auditing and 
self-enforcement infrastructures. We must realize that the Internet is global and de- 
centralized, and thus relying on legislation and governmental oversight alone simply 
will not assure privacy. Because of extensive public concern about privacy on the 
Internet, the Internet is acting as a driver for self-regulation, both online and off- 
line. Businesses are revising and adopting company-wide practices when writing a 
privacy policy for the Internet. Efforts that continue this greater internal focus on 
privacy must be encouraged. 

On the technology front, while the Internet presents new threats to privacy, the 
move to the Internet also presents new opportunities for enhancing privacy. Just as 
the Internet has given individuals greater ability to speak and publish, it also has 
the potential to give individuals greater control over their personal information. We 
must continue to promote the development of privacy-enhancing and empowering 
technology, such as the World Wide Web Consortium’s Platform for Privacy Pref- 
erences (“P3P”), which will enable individuals to more easily read privacy policies 
of companies on the Web, and could help to facilitate choice and consent negotia- 
tions between individuals and Web operators. 

On the public policy front, we must adopt legislation that incorporates into law 
Fair Information Practices — long-accepted principles specifying that individuals 
should be able to “determine for themselves when, how, and to what extent informa- 
tion about them is shared.” 7 Legislation is necessary to guarantee a baseline of pri- 
vacy on the Internet, but it is not one-size-fits-all legislation. Congress must do 
more to protect privacy in key sectors such as privacy of medical records. For con- 
sumer privacy on the Internet — and we believe more broadly — there needs to be 
baseline standards and fair information practices to augment the self-regulatory ef- 
forts of leading Internet companies, and to address the problems of bad actors and 
uninformed companies. We also stress that legislation is needed to raise the stand- 
ards for government access to citizens’ personal information increasingly stored 
across the Internet, ensuring that the 4th Amendment continues to protect Ameri- 
cans in the digital age. 8 

Several proposals are circulating in Congress today. Members of this Committee 
have introduced two important bills: Senator Hollings “Consumer Privacy Protection 
Act” (S. 2606); and, Senators Burns and Wyden “Online Privacy Protection Act” (S. 
809). We believe that the outlines of sound privacy protection for the online environ- 
ment have taken shape and look forward to working with this Committee on these 
efforts. 

The history of the Internet is that policy regimes are first created by consensus 
among a broad cross section of the community. CDT is committed to participating 
in any process that helps to build a new social contract embodying democratic val- 
ues in the emerging online world. The work of the Federal Trade Commission — 
through its public workshops, hearings, and its recent Advisory Committee on On- 
line Access and Security — provides a model of how to vet issues and move toward 
consensus. We look forward to working with this Committee, as well as others, the 
industry and the public interest community to build a cohesive system of privacy 
protections for the online environment. Thank you for the opportunity to participate 
in this timely hearing. 


7 Alan Westin. Privacy and Freedom (New York: Atheneum, 1967) 7. 

8 See, Testimony of Deirdre Mulligan, Staff Counsel of the Center for Democracy & Tech- 
nology, before the Subcommittee on Courts and Intellectual Property of the House Committee 
on the Judiciary, March 26, 1998, at 11-13 (concerning disclosure of subscriber information to 
the U.S. Navy). 
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Appendix A 

The Code of Fair Information Practices as stated in the Secretary’s Advisory 
Comm, on Automated Personal Data Systems, Records, Computers, and the Rights 
of Citizens, U.S. Dept, of Health, Education and Welfare, July 1973: 

1. There must be no personal data record-keeping systems whose very existence 
is secret. 

2. There must be a way for an individual to find out what information about 
him is in a record and how it is used. 

3. There must be a way for an individual to prevent information about him that 
was obtained for one purpose from being used or made available for other pur- 
poses without his consent. 

4. There must be a way for the individual to correct or amend a record of identi- 
fiable information about him. 

5. Any organization creating, maintaining, using, or disseminating records of 
identifiable personal data must assure the reliability of the data for their in- 
tended use and must take precautions to prevent misuse of the data. 

The Code of Fair Information Practices as stated in the OECD guidelines on the 
Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org/ 
dsti/sti/ii/secur/prod/PRIV EN.HTM: 

1. Collection Limitation Principle: There should be limits to the collection of per- 
sonal data and any such data should be obtained by lawful and fair means and, 
where appropriate, with the knowledge or consent of the data subject. 

2. Data quality: Personal data should be relevant to the purposes for which they 
are to be used, and, to the extent necessary for those purposes, should be accu- 
rate, complete and kept up-to-date. 

3. Purpose specification: The purposes for which personal data are collected 
should be specified not later than at the time of data collection and the subse- 
quent use limited to the fulfillment of those purposes or such others as are not 
incompatible with those purposes and as are specified on each occasion of 
change of purpose. 

4. Use limitation: Personal data should not be disclosed, made available or oth- 
erwise used for purposes other than those specified in accordance with the “pur- 
pose specification” except: (a) with the consent of the data subject; or (b) by the 
authority of law. 

5. Security safeguards: Personal data should be protected by reasonable security 
safeguards against such risks as loss or unauthorized access, destruction, use, 
modification or disclosure of data. 

6. Openness: There should be a general policy of openness about developments, 
practices and policies with respect to personal data. Means should be readily 
available of establishing the existence and nature of personal data, and the 
main purposes of their use, as well as the identity and usual residence of the 
data controller. 

7. Individual participation: An individual should have the right: (a) to obtain 
from a data controller, or otherwise, confirmation of whether or not the data 
controller has data relating to him; (b) to have communicated to him, data relat- 
ing to him: within a reasonable time; at a charge, if any, that is not excessive; 
in a reasonable manner; and, in a form that is readily intelligible to him; (c) 
to be given reasons if a request made under subparagraphs (a) and (b) is de- 
nied, and to be able to challenge such denial; and, (d) to challenge data relating 
to him and, if the challenge is successful to have the data erased, rectified com- 
pleted or amended. 

8. Accountability: A data controller should be accountable for complying with 
measures which give effect to the principles stated above. 

The Chairman. Thank you, Mr. Berman. 

Mr. Weitzner. Is that the proper pronunciation? 
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STATEMENT OF DANIEL J. WEITZNER, TECHNOLOGY AND 
SOCIETY DOMAIN LEADER, WORLD WIDE WEB CONSORTIUM 

Mr. Weitzner. That is exactly correct. 

The Chairman. Welcome, Mr. Weitzner. 

Mr. Weitzner. Thank you, Chairman McCain. It is an honor to 
be here and I am very pleased to be part of this discussion. 

My testimony, which I have submitted and I will not read all of, 
makes three very basic points. First, and I think based on the dis- 
cussion we do not even have go to through this any further, the in- 
creasing sophistication of web technology enables the collection of 
large volumes of personal information, both directly from users and 
in the background in some way or another. Some characterize it as 
surreptitious, others characterize it as convenient. But there is an 
increasing volume of information collected. 

Second, the World Wide Web Consortium, the organization I 
work for, which is the group that sets technical standards for the 
web and includes over 420 members from industry, academia, re- 
search, consumer organizations all around the world, recognized 
the increasing consumer concern over privacy and we therefore 
launched a project called P3P, the Platform for Privacy Pref- 
erences, which will enable the marketplace to deliver software tools 
and services that enhance users’ knowledge of Web sites’ informa- 
tion practices and give users more control over their personal infor- 
mation. 

Finally, I hope that we can dispense with the false dichotomies, 
the false choices, presented between law, regulation, technology, in- 
dustry practices, or self-regulation. I think it should be clear to us 
that some balance of all of those factors is needed. No one of those 
is going to solve the problem — not law, not self-regulation, not tech- 
nology. So we do not need to worry about any one of them being 
sufficient. I think we should all just stipulate that we need to find 
the right combination. 

I am going to 

The Chairman. You are saying right combination of legislation 
and regulation? Is that what you are saying? 

Mr. Weitzner. Well, I suppose that is a further distinction that 
I would probably leave to you. I think we need some kind of legal 
baseline. Whether that is implemented solely in statute or through 
regulation is something I would leave to you. But I think we need 
a legal framework in which to operate here along with technology 
tools and responsible industry practices. 

Let me dispense with the discussion of all the myriad ways that 
information, personal information, can be collected online because 
I think there is a general appreciation for that point, and I want 
to talk directly about W3C’s efforts to build technology tools that 
will help enhance users’ privacy experiences and particularly, given 
all the discussion we have had, we have heard already, about the 
complexity of privacy policies, the difficulty of finding them, the 
number of words that one has to get through to get to the bottom 
line of the policy, let me talk in a little bit more detail about W3C’s 
Platform for Privacy Preferences. 

Through this project, which is really a project to develop tech- 
nical standards that address privacy, we hope to enable the devel- 
opment of a variety of tools and services, produced by the market- 
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place, that give users greater control over personal information and 
thereby enhance trust between web services and individual users. 

P3P enables services, whether they are in web browsers, in web 
servers, in other pieces of software or services that users come 
across, that will enhance user control by putting privacy policies 
where users can find them, by presenting the policies in a form 
that users can understand, and, most importantly, by enabling 
users to act on the policies that they see more quickly. 

For e-commerce services there are benefits as well. P3P can be 
used to make the browsing experience more seamless. Any web de- 
signer who is concerned about offering a product or a service to 
someone who visits their site has a difficult balancing task, even 
if they want to provide the maximum information about their pri- 
vacy policy to that user. It is not easy to present, and I think it 
is a fair point that it is sometimes complicated to articulate in 
prose, especially prose readable to the non-experts out there, ex- 
actly what information practices sites are engaged in, and I think 
it is quite fair to say that, whether it is Yahoo or any of the other 
really sophisticated, exciting services, they do a lot of different 
things with your personal information in a lot of different places, 
and to try to catalogue all that in one single place is bound to be 
complex. 

So with P3P what we have tried to do is to enable the association 
of particular web pages and privacy policies that apply to what is 
going on at that point on the web, so that when you are asked to 
fill out a form right there your browser will be able to tell you, not 
necessarily in prose terms but with graphical icons or some other 
means, exactly what is going to happen there when you submit 
that form data. 

Think if you will for a minute about the experience we have had 
with security on the web. Several have referred to the fact that 
there was great concern about providing credit card numbers on 
the web by a number of users. How was that concern alleviated? 
In some part it was alleviated by, I think, a very broad education 
campaign. In some part, though, it was alleviated because browsers 
added tools that told users that their transaction was secure. 

No one on this Committee may know the acronym SSL. That is 
the technology that secures the communication between a user and 
a Web site. But I think vast numbers of people who use the web 
recognize the little lock or the little key icons and know when that 
lock or that key is closed they should feel comfortable putting their 
credit card number onto that page. 

We are looking to do the same kind of thing for privacy, to be 
able to represent to users exactly what is going on at exactly the 
point in the Web site they are at, rather than forcing them to go 
back and read through the Web site and click through. I was 
amused at the description of the number of clicks. I have never ac- 
tually counted them, and the number of words, but I think that is 
exactly the problem that we are trying to address with P3P. 

Finally, P3P can help to assist with three of the four information 
practices that the FTC report has outlined. Obviously, notice; it 
provides a capable for presenting easy-to-understand notice to 
users. It helps users to make a choice. 
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Finally, it tells — it has the vocabulary to tell users exactly where 
they can go, what they have to do, to get access to their personal 
information. Security is dealt with in other parts of web standards, 
so we have not addressed it directly in P3P. 

I would say that the question of access is complex and P3P does 
not pretend to provide a mechanism to enable access, but we do 
provide a way for users to understand how to go and get access. 

I want to just close by saying that I think that this Committee 
does face very difficult questions regarding what legal or regulatory 
framework, if any, is best to address privacy on the web. There are 
obviously a variety of options before you and I am not here to sup- 
port or oppose any particular approach. I would urge, though, that 
with or without legislation, with or without regulation, web users 
both in the United States and around the world need more power- 
ful technical tools to give them greater control over their online pri- 
vacy relationships and greater information about what kinds of re- 
lationships they enter into. 

Even with the most stringent privacy laws in place, I would sub- 
mit, so much of individual users’ practical privacy rights on a day 
to day basis depends on being able to make individualized choices 
about what they want done with their personal information in a 
particular interaction. The web is getting so complex that we are 
going to need technology tools to help with that. 

We certainly also need some way or another to encourage and in 
some cases most likely require Web sites that offer those choices. 
But we are going to need the tools to make those choices effective 
choices and make sure that they are not buried four or five clicks 
and thousands of words down in some policy. 

So I hope that, whatever action this Committee takes, it will be 
consistent with encouraging the development of these tools and 
unleashing the innovative forces in the marketplace which, wheth- 
er or not they have an incentive to provide privacy regulation, pri- 
vacy protection, the innovation that we see in this marketplace can 
help to solve these problems and we should make sure that it is 
able to do that. 

Thank you very much. 

[The prepared statement of Mr. Weitzner follows:] 

Prepared Statement of Daniel J. Weitzner, Technology and Society Domain 
Leader, World Wide Web Consortium 

Introduction 

Good Morning. My name is Daniel J. Weitzner. I thank the Committee for holding 
this hearing on online privacy and am honored to be able to contribute to your con- 
sideration of this critical issue. I am head of the World Wide Web Consortium’s 
(W3C) Technology and Society activities, responsible for development of technology 
standards that enable the Web to address social, legal, and public policy concerns. 
W3C, an international organization made up of over 420 members from industry, 
academe, users organizations and public policy experts, is responsible for setting the 
core technical standards for the World Wide Web. W3C was founded in 1994 by Tim 
Berners-Lee, inventor of the Web, who serves as the Director of the Consortium. In 
addition to my work at W3C, I also hold a research appointment at MIT’s Labora- 
tory for Computer Science, teach Internet public policy at MIT, and am a member 
of the Internet Corporation for Assigned Names and Numbers (ICANN) Protocol 
Supporting Organization Protocol Council. 

Today I will touch on three major points: 

• The Online Privacy Environment: Increasing sophistication in Web technology 
enables the collection of large volumes of personal information, sometimes with 
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the explicit knowledge of the user, and sometimes in the “background.” While 
this information may often be collected for purposes considered positive by the 
user, most users are unable to exercise meaningful control over data collection 
and in many cases will have little control over subsequent use of personal infor- 
mation. 

• The Platform for Privacy Preferences (P3P): W3C’s P3P project will enable the 
marketplace to deliver software tools and services that enhance users knowl- 
edge of Web sites’ information practices and give users more control over their 
personal information. A wide cross-section of the Web community has contrib- 
uted to the development of P3P and is now beginning to test early implementa- 
tions of the draft standard. 

• Balancing Law, Technology, and Industry Practice: All three of these elements 
are required to give users the privacy protections they need in the online envi- 
ronment. Whatever the mix of law and self-regulation, we should assure that 
it creates an environment that encourages the development of innovative pri- 
vacy-enhancing tools. 

I. The Online Privacy Environment 

The Internet and the World Wide Web have put extraordinary power over infor- 
mation in the hands of people and institutions around the world. With unprece- 
dented ability to both publish and access information in the hands of hundreds of 
millions of people, centuries old barriers to knowledge and exchange of ideas have 
vanished. Yet this same interactivity, the bi-directional ability to exchange informa- 
tion from any point to any other point on the Net has brought about significant 
threats to individual privacy. For the same communications mechanisms that give 
individuals the power to publish and access information can also be used, sometimes 
without the user’s knowledge or agreement, to collect sensitive personal information 
about the user and his or her information usage behavior. At W3C, our goal is to 
use the power of the Web, and enhance it where necessary with new technology, 
to give users and site operators tools to enable better knowledge of privacy practices 
and control over personal information. 

Urban legends of the Web’s imagined surveillance capabilities abound. Neverthe- 
less, Web technology has evolved quite sophisticated data collection techniques 
which have caused alarm and distrust among many users. State-of-the-art Web sites 
are able to collect personal information about users both directly, by presenting on- 
line forms to be filled out by users, and in the background, through use of various 
technologies such as access logs, cookies and, in some cases, the placement of small 
programs that run on users computers collecting information and delivering it back 
to the site. The background techniques are often used to offer more customized, per- 
sonalized and easy-to-use services, many of which users appreciate. Yet, all but the 
most technologically sophisticated users have no practical ability to understand 
what sort of background data collection is taking place on their computers, much 
less limit such collect when they wish. 

Powerful data collection techniques, users inability to know what is being col- 
lected or how to stop it, together with occasional highly publicized abusive privacy 
practices, all combine to generate a significant level of fear and distrust on the part 
of many Web users. Three of the most notable online privacy incidents in the last 
year illustrate how strongly users and the general public react when users discover 
that data collected about them may be used for a dramatically different purpose, 
or that personal information will be disseminated without their control. 

• Intel Processor Serial Number: Just before it released its new Pentium III proc- 
essor, Intel had to turn off access to the unique serial number inside each proc- 
essor because users objected to the inability to block transmission of this serial 
number to Web sites. Though Intel believed this ID would actual enhance secu- 
rity by providing better transaction verification, users felt that it would be used 
to track their browsing and buying habits without giving sufficient control to 
users. 

• Doubleclick personally-identifiable web usage tracking: Widespread outcry arose 
earlier this year when Doubleclick announced plans to use user information pre- 
viously collected to track surfing habits of users for the purpose of targeting 
banner ads. User objected to the fact that information previously collected was 
to be used for a different and more invasive purpose, and because it was not 
clear to many people how to opt-out of such tracking. Doubleclick has subse- 
quently withdrawn the tracking plans and mounted an education campaign to 
inform users, among other things, how to control the information collected by 
Doubleclick. 
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W3C and its members became concerned about privacy on the Web because people 
won’t use the Web to its full potential if they have to face such uncertainty. The 
majority of users are perfectly willing to share some information on the Web. At the 
same time, basic human dignity demands the we have meaningful control over 
which information we chose to expose to the public. Our goal is to include in the 
basic infrastructure of the Web the building blocks of tools that can provide each 
user this basic control. 

II. P3P Enables Greater User Control 

To help address growing concerns about online privacy, W3C launched the Plat- 
form for Privacy Preferences (P3P) project to enable the development of a variety 
of tools and services that give users greater control over personal information and 
enhance trust between Web services and individual users. 

P3P-enable services will enhance user control by putting privacy policies where 
users can find them, present policies in a form that users can understand them, 
and, most importantly, enable users to act on what they see in policies more easily. 
For e-commerce services and other Web sites, P3P can be used to offer seamless 
browsing experience for customers without leaving them guessing about privacy. 
Moreover, P3P will help e-commerce services develop comprehensive privacy solu- 
tions in the increasingly complex value chain that makes the commercial Web such 
a success. On today’s Web, when a consumer buys a product or service from one 
Web site, completing the transaction may well involve numerous individual services 
linked together, each of which has some role in the ultimate delivery to the user 
and each of which has some responsibility for honoring the privacy preferences ex- 
pressed by the user at the beginning of the transaction. 

Consider all of the steps involved in the increasingly common processing, printing, 
distributing, and archiving a digital photo. After the user takes a digital image with 
a common digital camera, one site may be the point to which the photo is first 
uploaded, from there the user follows a link to another site that performs special 
image processing, after which the next site created prints, which are then delivered 
by yet another service to family members. Finally, yet another site may offer archi- 
val services for the photos. At each step along the way, these sites are dealing with 
sensitive information (the names of the people in the photos, their location, etc.). 

Setting the stage where such flexible combinations of services can be offered to 
users requires widespread agreement on standards, including the means of commu- 
nicating from one service to another about how personal information should be han- 
dled. Standards have a vital role in the operation of the Web in general. The Web 
is not run by any single organization, but it does enable people to share information 
around the world because everyone who operates a piece of the Web agrees to follow 
shared technical standards. In the same was as the HTML standard ensures that 
everyone who looks at a Web page will see it as the author intended it to look, re- 
gardless of what computer or software is used, the P3P standard will enable every 
user and site operator on the Web to communicate in a common language about pri- 
vacy. 

Can users find P3P in their browsers today? Not yet, as the standard is only just 
being completed. P3P has been under development over the last two years at the 
World Wide Web Consortium in a design effort that has included software vendors, 
large commercial users, privacy advocates, and government data protection commis- 
sioners from around the world. Participants in the effort include 

• America Online/Netscape 

• American Express 

• AT&T 

• Center for Democracy and Technology 

• Commission Nationale de l’lnformatique et des Libertes 

• Citibank 

• Electronic Frontier Foundation 

• Microsoft 

• NCR 

• NEC 

• Nokia 

• Information and Privacy Commission/Ontario, Canada 

• PrivacyBank 

• Privacy Commissioner of Schleswig-Holstein, Germany 

• Phone.com 

• Geotrust 

With the standard definition nearly complete, we are now entering the testing and 
implementation phase. Our last step in finalizing the design of the standard is to 
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host a series of interoperability testing events, one in June and one in September. 
We are encouraged that a number of large Web software developers as well as inno- 
vative smaller services have committed to implementing P3P in their products. Fol- 
lowing this testing phase, we will issue a final standard for the Web community. 

III. Conclusion: Role of Law, Technology Tools, and Industry Practice in 
Privacy Protection 

This Committee faces hard questions regarding what regulatory framework, if 
any, will best address the serious privacy issues on the Web today. Congress may 
choose to enact a general privacy baseline, or may consider targeted legislation fo- 
cused on certain sensitive sectors, such as has already been done with respect to 
children’s privacy. Or, those who seek more time for self-regulatory efforts may take 
hold. I am not here to support or oppose any particular approach, but rather to sug- 
gest that with or without legislation, Web users in the United States and around 
the world need more powerful technical tools to give users greater control over their 
online privacy relationships. Similarly, e-commerce service providers need tools to 
enable them to build innovative, flexible, customizable services that respect users’ 
privacy rights and preferences. 

Even with the most stringent privacy laws one might imagine, so much of prac- 
tical privacy rights depends on users being able to make individualized choices 
about the privacy relationships that want to have with the growing number of Web- 
based services with which the interact. Effective exercise of informed choice, wheth- 
er under legislative mandate or enlightened self-regulation, can only be accom- 
plished in the increasingly complex Web of personal information with the help of 
tools that users can use. So whatever the final outcome of this debate, we should 
all be committed to see that the innovative and entrepreneurial energy that abound 
in the Internet are able to develop innovative tools to help users and vendors. 

The Chairman. Thank you. 

Ms. Lesser, Ms. Varney, do you have a response to Mr. Catlett’s 
allegations? 

Ms. Lesser. Well, I would say the following. Obviously, we sort 
of fundamentally disagree with Mr. Catlett on approach, but we 
fundamentally agree with Mr. Catlett on the need to protect con- 
sumers’ privacy. 

The Chairman. Do you disagree when he says that there is no 
technology that will solve this problem nor does the FTC have suf- 
ficient authority? 

Ms. Lesser. Let me take the first and then the second. On the 
technology question, I think it is certainly not technology alone. As 
Mr. Weitzner has laid out, there are lots of efforts going on in 
terms of technological development in helping consumers and busi- 
nesses have that conversation and making it easier for consumers 
to get notice and make choices, and that is critical. 

However, in order for technology to solve some of these problems, 
you have to rely on implementation and in many ways you need 
to rely on how businesses are going to deal with their consumers. 
So I would say, in answer to some of the questions raised about 
whether there are large companies or small companies having com- 
plicated, incomplete, misleading privacy policies, I would submit, 
based on our own data with our customers, those companies will 
not ultimately succeed in getting consumers’ trust and they will see 
a decrease in their business. 

So I do not think that technology can do it alone, but we have 
never relied on technology to do anything alone. It needs to be co- 
ordinated with good business practices. 

In terms of legislation, I think that, as I said, it is not a zero sum 
game. There may be areas where we need to see standards set by 
this Committee to guide the industry and to make sure that we are 
all headed in the right direction, particularly those of us who are 
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not at this particular point. However, we need to do this in a delib- 
erative way and make sure that we have identified what issues 
need to be addressed and who best to address them. 

I strongly believe that the FTC has an important role to play. I 
believe this Committee has an important role to play and that in- 
dustry and consumers engaged in a dialog have an important role 
to play. 

I will say there is one important thing I disagree with in Mr. 
Catlett’s remarks that I think it is important to emphasize, and 
that is the issue of preemption. However you folks begin to look at 
this issue, it is critical as we look at this medium, which we know 
is national but we also know is global, that we do not seek out a 
multiplicity of confusing and inconsistent standards, that whatever 
road we go down we make sure that companies, every single com- 
pany, be it the smallest company in any of the States represented 
here, go online and serve customers, they may be serving cus- 
tomers from all 50 States very quickly and from all over the world, 
and they simply, both large and small companies, cannot comply 
with a multiplicity of laws that are inconsistent around the globe 
and around this country. 

So I would strongly urge you, as you look at standards, to think 
clearly about the need to respect the global and national nature of 
the Internet online medium. 

The Chairman. Ms. Varney. 

Ms. Varney. Yes, Senator. As to the second question, the FTC 
authority, clearly the Federal Trade Commission has the authority 
to prosecute anybody who posts a privacy policy that is deceptive 
or misleading, and they should do it and perhaps they need more 
resources to do it. 

Do they have the authority to compel Web sites that do not post 
privacy policies to do so? Probably not. Do they have the authority 
to compel Web sites to post privacy policies using certain language 
or in a certain way? Probably not. 

The Chairman of the Federal Trade Commission and I, as a 
former Federal Trade Commissioner, have had a longstanding ar- 
gument, which I think you have heard before, about whether or not 
the FTC’s unfairness authority, as opposed to their deception au- 
thority, would be a sufficient basis for them to prosecute those who 
collect and use personal information for purposes other than it was 
provided without adequate notice and consent. 

The Chairman believes he does not have — that the Section 5 un- 
fairness standard does not give him that authority. I think it does. 
But he is a professor and a former dean of a university and he is 
the Chairman. 

The Chairman. Mr. Catlett. 

Mr. Catlett. Thank you, sir. On the issue of preemption, if Con- 
gress moves promptly and passes a good law that gives strong 
rights to individuals, then the States will not need to move in to 
address particular needs of their citizens. 

As to the question of inconsistent legislation, companies deal 
globally with this problem all the time. For example, Doubleclick 
does not set cookies in Germany because of laws that relate to pri- 
vacy. Therefore Germans are getting better privacy protection from 
an American company than Americans are. So companies do deal 
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with these large differences and a nation gets the level of privacy 
protection that it demands. 

The Chairman. Mr. Berman. 

Mr. Berman. I think some companies can deal with the crazy 
quilt of regulations. One of the arguments for legislation is to get 
away from that and to have some uniformity. I agree with Jason 
that it ought to be a high standard — and a standard that protects 
privacy, but it also has to protect the free flow of information over 
the Internet. And if our companies or our small Web sites have to 
figure out the laws and design their sales and their approaches to 
be consistent with every country in the world, I think that will be 
an enormous burden on commerce. 

So one of the reasons why I think that it is important for the 
United States and for us to work these things out now is to estab- 
lish we are a leader in the Internet and what the regulatory regime 
that makes sense for the Internet makes sense also internationally. 
A traditional large regulatory role over every Web site, which some 
Europeans advocate, I think is inconsistent with the way the web 
is designed and will not work. So it is part of providing leadership. 

One last point. These issues are complex and I think that in 
order to work them out it does require drilling down on what do 
we mean by notice, what do we mean by access, what do we mean 
by a remedy. What is fair when L.L. Bean sends your shoe size to 
the wrong company? Do they go to jail? Those are not easy ques- 
tions, what access do you have and what is the security, those 
issues. 

But — and I think that in order — and a regulatory agency should 
not be given an enormous amount of discretion. In order to limit 
that discretion, one of the things that Congress can do is when it 
writes its legislation, which is to make clear in legislative history 
and go and really use staff time and drill down on how its legisla- 
tion is going to work, the explain to the FTC and explain to the 
public and to the companies what they have in mind. 

That is not easy legislation, but it is absolutely I think critical 
in this area or you will see too much discretion and you will not 
have the confidence of the Internet community. 

The Chairman. So, Mr. Catlett, along those lines, I like many 
others buy books online. Now when I go on one of these Web sites 
they say: Hi, John; we just got in a new biography of Napoleon we 
know you would like — which is true. They know, they know what 
my preferences are. So actually they are helping me by informing 
me of books that I would like to read. What is wrong with that? 

Mr. Catlett. That is a wonderful service, sir, and I use it my- 
self. 

The Chairman. You know what I am getting at here, OK. Where 
does the line stop where they are informing me and helping me 
and they are invading my privacy? 

Mr. Catlett. Everybody wants the benefits of personalized tech- 
nologies and the Internet is wonderful at providing that, provided 
that the personal information is treated fairly. That means several 
things: only using the information for the purpose that they col- 
lected it for, in the case of say making book recommendations, and 
not for selling to, giving to journalists who want to get a psycho- 
graphic profile of the individual who buys the books. 
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Second, the individual should have access to that complete profile 
that is built up so that they can be sure for themselves 

The Chairman. Like a FOIA, like a Freedom of Information Act. 

Mr. Catlett. Precisely, sir. And those laws should apply very 
broadly to all commercial entities that maintain personal informa- 
tion. It is the right of people to determine information that is held 
about them. That information is being used by companies sup- 
posedly for their benefit and so people have the right to see that 
information. 

The Chairman. Do they now? 

Mr. Catlett. No, they do not, sir. You have the right to see your 
credit report, but you do not have the right to see the vastly great- 
er profiles about you that marketing companies have. 

The Chairman. Is that fair, Ms. Lesser? 

Ms. Lesser. I think it is a fair articulation of the current law. 
I do not think it is necessarily a fair articulation of all business 
practices. So for example 

The Chairman. Now wait a minute. Is it fair for me not to know 
what 

Ms. Lesser. Oh, I am sorry, I misunderstood your question. 

The Chairman. Should I be able to see what Amazon.com’s pro- 
file of me is? 

Ms. Lesser. I imagine that if Amazon.com is creating, is giving 
you, for example, as we do, an opportunity to have a member pro- 
file — 

The Chairman. Is it fair for me to know what the profile is, Ms. 
Lesser? 

Ms. Lesser. Sure, absolutely, it is fair for you to know. 

The Chairman. But right now I do not have that right. 

Ms. Lesser. You will probably be given a right to know what 
your profile says by a lot of companies, because it is smart business 
practice. 

The Chairman. But if they do not choose to 

Ms. Lesser. Now, the level of — there is a difference between un- 
derstanding access, i.e., do you access directly into the data base 
or do you have an ability to basically say 

The Chairman. You are complicating the issue. 

Ms. Varney, do I have the right to know what profile is compiled 
on me by an Internet corporation? 

Ms. Varney. Do I get to ask you a question back, to further this? 

The Chairman. Yes. 

Ms. Varney. OK, thank you. 

The Chairman. Tragically, yes. 

[Laughter.] 

Ms. Varney. Do you want to know — the company is going to take 
what you have purchased on their Web site to develop their profile. 
Do you want access to everything that you have purchased? 

The Chairman. No, what their profile of me is. 

Ms. Varney. So you do not care about getting access to your past 
purchases? You want to see what they do with that information? 

The Chairman. I want to know what the profile is because obvi- 
ously they are letting other people know that profile. 

Ms. Varney. Why are they letting other people know the profile? 

The Chairman. I do not know why. For profit and fun. 
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[Laughter.] 

Ms. Varney. Not yours, Senator, I can assure you. 

The Chairman. I am sorry, Conrad. 

Ms. Varney. If they are not sharing the profile, does that matter 
to your question? 

The Chairman. Even if they are not sharing the profile. The FBI 
has a file on me and I hope they are not sharing it, and yet I have 
the ability — well, I do not care if they are. 

[Laughter.] 

The Chairman. Most citizens would not want that. So through 
the Freedom of Information Act I can find out, I can get my FBI 
file. Should I not be able to, through some kind of Freedom of In- 
formation Act, know the profile that is kept on me? 

Ms. Varney. Having been through the Senate confirmation proc- 
ess, I do have an FBI file and I have reviewed it, and what is in 
my FBI file are facts and summaries of conversations 

The Chairman. Should every American have the same right as 
they do with the FBI file? 

Ms. Varney. But Senator, that is what I am getting at, what is 
in the FBI file. If the FBI has a psychographic profile on me, I have 
not seen it, I cannot see it. 

The Chairman. They may and they may not. I have seen all 
kinds of FBI files. 

Ms. Varney. Can you see what they have on me? 

The Chairman. You are evading my question. Should they have 
the right to know the profile — should I have the right to know the 
profile that is kept on me? 

Ms. Varney. Senator, I do not mean to be evasive. I am trying 
to 

The Chairman. So you are not going to give me an answer? 

[Laughter.] 

Ms. Varney. I am going to give you an answer. 

The Chairman. Then say it. 

Ms. Varney. I am trying to draw a distinction 

The Chairman. If you want to ask me a question, you have got 
to give me a yes or no answer. 

Ms. Varney. I will, I will. You will not let me, though. I am try- 
ing to draw a distinction between the data that is used by a com- 
pany to create a profile and the profile. Obviously you have a right 
to all the data, the transactional data. What some of the companies 
will say back to you, whether or not you accept this argument, is: 
We spend a lot of time and a lot of money and hire a lot of people 
and do algorithms and all kinds of things to come up with what 
we think is the profile. It is our proprietary property. 

Is it good business sense to share it with you? Sure. Do you want 
to legislate it? Talk to the companies that do it. I do not know. 

The Chairman. So your answer is “I do not know.” Now, what 
is your question for me? 

Ms. Varney. I asked the question, whether you wanted access to 
the underlying data or to the profile that the data was used to gen- 
erate. 

Mr. Weitzner. Well, my question is I want to see your profile. 

The Chairman. I think I should have access — very frankly, I 
think I should have access to any information that is collected 
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about me and conclusions that are drawn about me. I think that 
is the right of citizens, and I do not understand how it could be — 
well, go ahead. 

Mr. Weitzner. Could I suggest we just take one step back. I do 
not have a quick answer to this question, but the right of ac- 
cess — 

The Chairman. By law I can have my credit profile. 

Mr. Weitzner. That is right, and the reason that you can have 
your credit profile is because important decisions are made affect- 
ing your life based on that credit profile. So you have a right to see 
it really in order to correct it if there are mistakes. 

The Chairman. Suppose that this company that makes a profile 
of me that portrays me as an axe murderer is then sold and distrib- 
uted to others, all over the Internet. Is that good? 

Mr. Weitzner. I think that what you certainly have a right to 
know is what are they disseminating to others. I am not sure that 
I am comfortable with the notion that any single Web site that has 
any kind of commercial activity has to have a mechanism for dis- 
closing all of the information that it compiles that is in some way 
personally identifiable. That really goes pretty far and I think, as 
the FTC Advisory Committee recently pointed out, you get into a 
whole other set of privacy problems. 

How does Amazon know that you are you when you are coming 
to look at your profile? A lot of people are going to be trying to fig- 
ure out every Senator’s password. 

The Chairman. They have got my credit card. They get my credit 
card when I make a purchase, so they are pretty darn sure that 
it is me. 

Mr. Weitzner. Well, they insure against the risk that it actually 
is not you and they protect themselves. And the credit card compa- 
nies charge you whatever interest they charge you. 

The Chairman. They do not know that I like history books just 
because of one purchase. 

Go ahead, Mr. Berman. 

Mr. Berman. I think the answer is — I raised it before — this is 
not an easy question. There has been a committee now on access 
which has drilled down and made a distinction between proprietary 
information, information which you should have which might be ex- 
empt information. So it depends. That is one of the critical factors 
in writing legislation like this. In order to decide the access 

The Chairman. You are making an argument we better be very 
careful about writing 

Mr. Berman. You better be very careful and go through the 
hypotheticals about what you mean by access and who has access. 
You might also raise the question which we raise: If you have total 
commitment from the private sector to both only give you that pro- 
file and keep it for themselves and never use it for anyone else be- 
cause they are the only ones that want to sell you Napoleon books, 
what is the right of the FBI to get access to that information, that 
profile? 

What we have done is we are making an enormous transfer of 
third party information, personal sensitive information, to the net 
without also examining what the government access standards are 
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to that information. I mention the Monica Lewinsky example. A 
colleague of mine at CDT is testifying over in another 

The Chairman. We try not to mention that. 

Mr. Berman. — committee dealing with government access. I 
would urge that at some point the committee try and look at them 
together because they are of a piece. 

The Chairman. Well, this is fascinating. This is a fascinating 
issue. I mean, it is really a remarkable issue, and I would argue 
that 5 years ago if we had said we would be having this kind of 
discussion, it simply was not on the screen. I believe that Mr. 
Catlett is right, though. I think this is a very rapidly growing issue 
rather than one that is diminishing. 

I apologize to my friend and colleague for the length of time I 
took, but it is a fascinating dialog. 

I thank the witnesses. 

Senator Burns. I have never missed a meal and I do not plan 
to. 

[Laughter.] 

Mr. Berman. You have never missed a meal while I have been 
up here. 

Senator Burns. In light of the conversation and the dialog with 
the Chairman, give me your assessment — and I would ask you, 
Jerry. Give your assessment of the safe harbor approach. 

Mr. Berman. Well, I think that the safe harbor approach offers 
a real opportunity in dealing with the Internet. One of the things 
that the FTC has built up is a considerable amount of experience 
in dealing with that there are a whole myriad — it is not one-size- 
fits all on the Internet. We want to encourage a lot of different ex- 
periments in enforcement and trying to get companies to do audits 
and so on. 

If the safe harbors encourage that experimentation so that good 
practices can find their way into that safe harbor, then after devel- 
oping a data base and factual basis on how those work you can 
make decisions about whether you need to go further and deal with 
criminal penalties and all the other paraphernalia. But I would not 
start at that end, which is with big penalties and high standards 
for what is a safe harbor, because there is so much experimen- 
tation, so many new people on the Internet. 

But I think that what is the problem with the self-regulatory re- 
gime now is not that people are not trying these experiments, but 
that they do not know what a safe harbor is. So they do not know 
what to spend, whether it is worth it, whether if they join E-Trust 
or BBBOnLine whether they are going to be safe from prosecution 
or safe from legislation. So I think that that uncertainty is some- 
thing that your legislation begins to address. I mean, we need to 
work on it, and Senator Hollings 

Senator Burns. In other words, we do not want to abandon the 
safe harbor approach? 

Mr. Berman. I do not think so. 

Senator Burns. Now let us go, let us go one step further then. 
Does the simple posting of privacy policy amount to actual privacy 
to the end user? I mean, once they make 

Mr. Berman. It does not amount to privacy if the statement is 
not complete or it says in some circumstance we do this, in some 
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circumstance, and it is conflicting. We have examples in our testi- 
mony. It has to be a complete statement covering the fair informa- 
tion practices. It has to give you adequate information so that you 
know what the scope of collection and use is. 

Senator Burns [presiding]. That is all I have today. I have lis- 
tened to the testimony and the questions. I do not know what hap- 
pened to the Chairman, but I will tell you this, that we thank you 
for coming today. There will be other Senators with questions. If 
you could respond to the individual Senators and to the Committee, 
that would be helpful. 

Right now, this hearing is adjourned. The record will remain 
open for 2 weeks. 

[Whereupon, at 12:51 p.m., the Committee was adjourned.] 




APPENDIX 


Response to Question Submitted by Hon. Max Cleland to Jason Catlett 

Question 1. As you know, I am a co-sponsor of S. 2606, which was introduced this 
week by Senator Hollings and nine other Senate colleagues. This bill allows for “opt- 
in’’ provisions for Web sites using and sharing personally identifiable information, 
and “opt-out” for non-personally identifiable information. I would like to get your 
thoughts on these provisions, specifically addressing the implemenatation of these 
provisions by Web sites and the possible effects it may have on online commerce. 

Answer. This responds to Senator Cleland’s question to me about S. 2606. 

I believe the bill makes broadly the right decision on both opt-in for personally 
identifiable information (PII) and opt-out for non-personally identifiable information 
(non-PII), subject to the following qualifications. 

For PII, opt-in should certainly be required, since to have personal data distrib- 
uted without the consent of the person concerned on a data transmission medium 
as powerful as the Internet would mean the death of privacy online. It may further 
be necessary to set and evolve a high standard to ensure that the consent is both 
well-informed and affirmative. 

For non-PII, at least an opt-out should certainly be required, but it is possible 
that in some cases that may arise in the future, the standard should be raised to 
opt-in. The use of pseudonymous identities is expected to greatly increase in the 
next few years, and it may be necessary to protect the privacy of these identities, 
even if they are not personally identified with any natural person. 

Accordingly, I would recommend proceeding with the broad standards as they are 
in this bill, but remove the language preempting state law. If changes become nec- 
essary following experience with the law, states should be free to act accordingly. 

On the implementation for Web sites, I can speak from direct experience, having 
operated for about four years a Web site that collects personal information on a 
purely opt-in basis. The Internet makes the process of opting-in and opting-out very 
inexpensive, at near zero marginal cost. 

This contrasts with the relatively high cost of processing opt-transactions in the 
physical world. As to the cost of establishing the opt-processing systems, it would 
be only a very small percentage of the total development cost of a typical e-com- 
merce site. It is entirely reasonable to require this. 

The major effect on e-commerce would be to increase consumer participation due 
to improved consumer confidence. This could be as much as 20 or 40 percent over 
several years, compared to the ugly scenario where no protections are in place, and 
consumer confidence continues to decline. People who are scared offline at their ear- 
liest encounters with the Internet may be reluctant to return. 

Online advertisers might complain that they have to ask people’s permission be- 
fore using or selling information about them, and that therefore they would have 
to forgo some revenue. This is a very poor reason to lower the standards proposed 
in the bill, because (i) online advertisers still have a fine business selling ads that 
are targeted not based on personal information, using the so-called old-fashioned 
“print model” of putting ads for golf clubs in the sports section: this constitutes the 
vast majority of their existing revenues; (ii) online advertising is only a tiny percent- 
age of e-commerce revenues; and (iii) it is unfair to permit the advertisers to maxi- 
mize their revenues at the expense of reducing the total size of the market. 

If it is not out of place here, I would like to commend the Senator and his cospon- 
sors on the Consumer Privacy Protection Act, and to express my admiration for the 
plain common sense of his remarks about online privacy during the hearing. 

If I can be of any further assistance to you or the Committee, please free to ask. 


( 91 ) 
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Response to Written Questions Submitted by Hon. Max Cleland 
to Jill A. Lesser 

Question 1. Do you believe people should be able to know what information is col- 
lected about them by third parties, how that information is used, and the ability 
to correct incorrect information? 

Answer. Yes. We at America Online believe strongly that “notice” and “choice” 
with respect to personally identifiable information are essential elements of online 
privacy protection. In other words, consumers should be given clear notice about 
what personally identifiable information is collected about them and why it is being 
collected, and should be given the opportunity to exercise choice about how such in- 
formation is used. In addition, we believe that organizations that collect personally 
identifiable information from consumers should take steps to protect the security of 
that information and should establish a process for correcting inaccuracies in impor- 
tant information, such as account or contact information. AOL’s privacy policy is 
based on these essential principles. 

Question 2. As you know, there are several privacy seal programs that Web sites 
can earn by their privacy practices. Several of the “good players” attempt to influ- 
ence their business partners to adopt stronger privacy protections and earn the en- 
dorsement of these seal programs. AOL works with its partner companies to ensure 
good privacy practices. However, how do you explain the fact that the FTC report 
found only 8% of randomly selected sites participate in these programs? 

Answer. AOL supports the development of privacy seal programs to help encour- 
age good business practices, build public awareness, and increase consumer con- 
fidence in the online medium. AOL helps to promote sound privacy practices 
through its Certified Merchant Program, which requires AOL merchants to post a 
comprehensive privacy policy that is consistent with the principles outlined in AOL’s 
privacy policy and the industry guidelines developed by the Online Privacy Alliance. 

While we do not know the precise reason for the low level of seal program partici- 
pation found in the FTC report earlier this year, one factor may be simply that more 
public education is needed to make both consumers and businesses more aware of 
the importance of such programs. As public awareness about online privacy issues 
continues to grow, participation in these programs will likely increase. Furthermore, 
it is possible that the FTC survey focused narrowly on strict “seal” programs, and 
perhaps did not take into account the wide variety of compliance and certification 
programs that currently exist, such as AOL’s Certified Merchant program, to help 
ensure good privacy practices and increase consumer confidence. We believe that the 
proliferation of all such programs will help to build consumer trust in the online 
medium. 

Question 3. What evidence have you seen to indicate that the average, not nec- 
essarily Web-sawy, American Web surfer is knowledgeable about information-gath- 
ering practices of Web sites? Especially among groups coming online more and more, 
like older Americans? 

Answer. It is clear that online privacy issues have taken center stage in the public 
debate over the past year, and that Americans generally are more aware than ever 
before about both the tremendous benefits of electronic commerce and the potential 
privacy implications of doing business online with sites that do not protect their pri- 
vacy. This year’s FTC report shows a dramatic increase in the number of commer- 
cial Web sites that have posted privacy policies describing their information-gath- 
ering practices. Despite this incredible progress, we believe that the average user’s 
knowledge and understanding of how his or her personal information is collected 
and used online is still not at the level where it needs to be in order to ensure that 
consumers’ privacy is being fully protected. 

AOL believes, therefore, that companies doing business online have a responsi- 
bility to reach out to Internet users to help educate them about what they can do 
to protect their privacy online. AOL makes it a priority to clearly inform our mem- 
bers about our privacy policies and about the steps they can take to ensure that 
their personal information is protected wherever they go online. In addition, we 
have participated in a number of industry-wide efforts to raise public awareness 
about online privacy, such as the “Privacy Partnership 2000,” an ongoing grassroots 
initiative created by TrustE and leading online companies like AOL to promote pri- 
vacy education on the Internet, as well as the recent media consumer education 
campaign sponsored by the members of Netcoalition.com, a public policy organiza- 
tion comprised of leading online consumer companies. We believe that industry, gov- 
ernment, and consumer groups must continue to work together to promote public 
education about online privacy and bring consumer education to the level where it 
needs to be. 
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Response to Written Questions Submitted by Hon. Max Cleland 
to the Federal Trade Commission 


Dear Senator McCain: 

Thank you for transmitting Senator Cleland’s post-hearing questions related to 
the Federal Trade Commission’s report, Privacy Online: Fair Information Practices 
in the Electronic Marketplace (“Report”). The Commission’s responses are as fol- 
lows. 1 

Question 1. Some people have called for the creation of a privacy commission to es- 
tablish future privacy guidelines and “add flesh” to laws that may be passed by Con- 
gress. Do you feel as though this role could be effectively performed by the Federal 
Trade Commission? And, what is your opinion on the creation of such a commission? 

Answer. Yes, based on the proposals we have seen about the anticipated role of 
a privacy commission, we believe that the FTC could effectively perform the duties 
associated with such a commission. As you know, the FTC has been involved with 
data privacy issues since 1995, and has in fact performed many of the same func- 
tions that a privacy commission would perform. The Commission has held a series 
of widely-attended public workshops, which included participation by industry, ad- 
vocates, and academics, and has produced numerous reports focusing on a variety 
of privacy issues, including the collection of personal information from children, self- 
regulatory efforts and technological developments to enhance consumer privacy, con- 
sumer and business education efforts, and the tale of government in protecting on- 
line privacy. Moreover, at Congress’s direction, the Commission has promulgated a 
well-received rule pursuant to the Children’s Online Privacy Protection Act. The 
agency will continue to examine privacy issues and we believe the Commission could 
effectively fill the role of implementing any additional laws Congress may enact. 
Moreover, the FTC also has a competition mission that gives the agency a unique 
ability to consider the competitive implications of any privacy regulations. 

We generally believe that additional resources can be brought to bear on the eval- 
uation and development of effective privacy protection for Americans. We are con- 
cerned, however, that the creation of a separate privacy commission might be ineffi- 
cient given the FTC resources already devoted to privacy issues. Furthermore, a 
number of states are moving forward with their own form of online privacy legisla- 
tion. Thus, such a commission also could have the counter productive effect of delay- 
ing thoughtful consideration and development of otherwise appropriate and timely 
legislation to protect privacy. 

Question 2. Do you feel Internet business has the potential to grow with clear, con- 
cise privacy policies in effect? 

Answer. Yes. As described in our recent report, “Privacy Online: Fair Information 
Practices in the Electronic Marketplace,” (May 2000, available at http:! / 
www.ftc.gov /os / 2000 / 05 lindex.htm#22), some survey research suggests that the 
vast majority of online consumers are concerned about the misuse of their personal 
information online, and that large numbers of consumers do not trust online compa- 
nies to keep their personal information confidential. Alleviation of these concerns 
should prompt more consumers to use the Internet. Sites with clear and concise pri- 
vacy policies that implement the fair information practices outlined in the Commis- 
sion’s Report have the potential to appeal to consumers who are concerned by pro- 
viding a “privacy-friendly” marketplace in which consumers can shop. Moreover, a 
majority of the Commission believes that if Congress enacts legislation requiring a 
baseline of privacy protections, consumers could benefit from the knowledge that 
they would he entitled to at least a uniform level of protection wherever they visit 
online. This knowledge should also result in a concomitant increase in consumer 
confidence in the online marketplace. 

Question 3. What evidence have you seen to indicate that the average, not nec- 
essarily web savvy, American Web surfer is knowledgeable about information gath- 
ering practices of Web sites? Especially among groups coming online more and more 
like older Americans? 

Answer. As noted in our recent Report, although consumers may not be conver- 
sant in the specific information-gathering practices of Web sites, survey evidence in- 
dicates that consumers are increasingly concerned about their privacy online. (Re- 
port at 2-3.) Some evidence also suggests that older Americans are concerned about 
shopping online because of their privacy concerns. (Report at 2 n.15, referring to 
AARP National Survey on Consumer Preparedness and E-Commerce: A Survey of 


!The Commission vote to issue this letter was 4—1, with Commissioner Swindle dissenting. 
His views are expressed in a separate letter, which is attached. 
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Computer Users Age 45 and Older (March 2000), available at <http://www.aarp.org/ 
press/2000/nr033000.html>) The Commission unanimously believes that all con- 
sumers, including older Americans and others new to the online medium, would 
benefit from clear and conspicuous privacy disclosures online. 

In addition, consumer education about online information gathering is still badly 
needed. The FTC will continue its efforts to educate consumers about the online 
marketplace and its information practices and will encourage self-regulatory groups 
to focus on consumer education as well. Educating businesses about the need to im- 
plement privacy protections has and continues to be an important complement to 
these consumer education efforts. 

Question 4. As you know, the Better Business Bureau and other companies have on- 
line “seals” for which Web sites can apply if the site believes it meets the privacy 
standards of those seal programs. The FTC report states that only 8% of the Ran- 
dom Sample of sites and 45% of the Most Popular sites in the survey display a pri- 
vacy seal. Could each of you comment ou these seal programs and their influence 
on the Internet industry and its privacy practices? 

Answer. The Commission has long supported the development and implementa- 
tion of seal programs as part of industry self-regulatory efforts. We believe online 
privacy seal programs can play an important role in advancing the implementation 
of fair information practices in the online marketplace. They educate both online 
businesses and online consumers about online privacy protections, and they can 
serve as a key enforcement component of industry self-regulation in this area. The 
established programs are to be commended for their efforts to date, and the emer- 
gence of several new, competing seal programs is a welcome development. 

If widely adopted, seal programs promise an efficient way to alert consumers to 
licensees’ information practices and to demonstrate licensees’ compliance with pro- 
gram requirements. Although the number of sites enrolled in seal programs has in- 
creased in absolute terms over the past year, with 45% of the Most Popular sites 
participating, the seal programs have yet to establish a significant presence on the 
Web. Therefore, their impact on online commerce remains limited. The Commission 
believes that seal programs’ efforts would be bolstered by legislation requiring on- 
line companies to adhere to core fair information practice principles. 

Question 5. Several Internet companies claim that privacy policies will “kill the 
goose that laid the golden egg” by being too burdensome on this fledgling industry. 
The FTC report references concerns of FTC staff and the Advisory Committee an 
Online Access and Security that some of these recommendations to protect con- 
sumer privacy should not be overly burdensome to the company. Do you have any 
further guidelines on what is “overly burdensome” for the Committee? 

Answer. The Commission has specifically recognized that implementation of the 
fair information practices of Access and Security raise complex issues. As you note, 
many of these issues were highlighted in the Report of the Advisory Committee on 
Online Access and Security. The majority of the Commission does not believe that 
providing Access and Security would necessarily create unreasonable burdens or 
costs to online businesses. 2 Furthermore, the issue of burden, particularly with re- 
spect to small businesses, could be fully and fairly addressed in a rulemaking pro- 
ceeding. Such a proceeding, with input from online businesses and consumers would 
greatly assist any implementing agency in crafting a rule that implements online 
privacy protections in a flexible and reasonable manner. 

Please let me know if the Commission can provide any additional information on 
this important matter. 

By direction of the Commission. 

Robert Pitofsky, 

Chairman. 


Response to Written Questions Submitted by Hon. Max Cleland 
to Orson Swindle 


Dear Chairman McCain: 

Thank you for transmitting Senator Cleland’s post-hearing questions related to 
the Federal Trade Commission’s report, Privacy Online: Fair Information Practices 


2 Commissioner Leary opposes mandated access and security at this time because he believes 
that the Commission has insufficient information about the relative costs to businesses and ben- 
efits to consumers in this area, and because, if notice is adequate, the competitive marketplace 
should provide a better solution than regulation. 
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in the Electronic Marketplace (“Privacy Report”). For the most part, I do not share 
the views expressed in the Commission majority’s response to Senator Cleland’s 
questions. Accordingly, for the Senator’s consideration, I am providing my individual 
responses to his questions. 

Question 1. Some people have called for the creation of a privacy commission to es- 
tablish future privacy guidelines and “add flesh” to laws that may be passed by Con- 
gress. Do you feel as though this role could be effectively performed by the Federal 
Trade Commission? And, what is your opinion on the creation of such a commission? 

Answer. A Congressionally established privacy commission could add measurably 
to the general understanding of online privacy. A serious examination of all the 
issues surrounding online privacy should add significantly to a better understanding 
of the possible unintended consequences of the laws that may be passed for the on- 
line economy. Such an examination should look at the costs and benefits of various 
options, including legislation, industry self-regulation, government guidelines re- 
garding industry best practices, etc. As I pointed out in my dissent from the Privacy 
Report, an analysis of this type should have preceded any recommendation of legis- 
lation by the FTC and certainly should precede enactment of legislation mandating 
privacy protections. 1 

Having some experience and certainly a reservoir of knowledge about privacy on- 
line, competitive issues, how to make clear and conspicuous disclosures online, and 
implementation of the Children’s Online Privacy Protection Act, the FTC theoreti- 
cally could perform this function. However, the recent FTC Privacy Report indicates 
to me that a more objective, probing analysis and less pro-regulatory bias are desir- 
able. Perhaps it would be best for an independent, non-partisan commission to take 
on this task, in a manner similar to the Advisory Commission on Electronic Com- 
merce. 2 

Question 2. Do you feel Internet business has the potential to grow with clear, con- 
cise privacy policies in effect? 

Answer. Yes, although it is obviously growing exponentially now with less than 
perfect privacy policies in effect. To my knowledge, no one bas empirically estab- 
lished the impact of privacy policies on consumer behavior. Industry self-regulation 
is making good progress. I suspect that the degree to which privacy concerns are 
impeding the growth of online commerce has been vastly overstated. The FTC’s ef- 
forts to evaluate online privacy have not included any empirical study of the effects 
on online commerce of the existence of privacy policies, whether consisting of simple 
notice or comprehensive statements implementing all four FTC-suggested fair infor- 
mation practice principles. Instead, the FTC, relying upon consumer opinion surveys 
showing that many consumers are concerned about online privacy, has asserted that 
online commerce will not reach its full potential without legislation ensuring full 
fair information practices. 3 Consumer opinion polls showing a generalized concern 
about-privacy, however, should not be relied upon as the basis for concluding that 
legislation is required for the optimal growth of online commerce. 4 There is no rea- 
son to conclude that legislation will necessarily increase consumer confidence in the 
online marketplace. 

For example, a study conducted by Jupiter Communications in mid-1999, 5 con- 
cluded that “consumers do not see government regulation as the solution to the on- 
line privacy issue. The vast majority of respondents to a Jupiter Consumer Survey — 
86% — said that they would not trust a Web site with their privacy even if the gov- 
ernment regulated it.” 6 The same study asked consumers to identify the top two 
factors that would increase their trust in Web sites regarding privacy. “The posting 
of privacy policies eased the concerns of 36 percent of consumers surveyed.” 7 Gov- 
ernment regulation was “not a popular option” for increasing consumers’ confidence: 


1 Privacy Report, Dissenting Statement of Commissioner Orson Swindle at 2, 21-24. 

2 This Commission was created by Congress when it enacted the Omnibus Appropriations Act 
of 1998, Pub. L. No. 105—277, to study and make recommendations about taxation on trans- 
actions using the Internet. The Commission’s final report is available at http://www.e- 
commercecommission.org/report.htm. 

3 Privacy Report at iv. 

4 See generally Concurring and Dissenting Statement of Commissioner Orson Swindle to 
Statement of the Federal Trade Commission on Online Profiling; see also Privacy Report, Dis- 
senting Statement of Commissioner Orson Swindle at 10-16. 

5 This study predates the noteworthy increase in the display of privacy policies online and in 
online sales in late 1999 and the first quarter of 2000. 

6 Michele Slack, Jupiter Communications, Proactive Online Privacy, Scripting an Informed 
Dialogue to Allay Consumers’ Fears at 19 (June 1999). 

nd. at 4. 
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“only 14 percent indicated that they would more likely trust a Web site on privacy 
issues if the site were subject to government regulation.” 8 

Question 3. What evidence have you seen to indicate that the average, not nec- 
essarily Web savvy, American Web surfer is knowledgeable about information gath- 
ering practices of Web sites? Especially among groups coming online more and more 
like older Americans? 

Answer. To my knowledge, the research cited in the Commission’s Privacy Report 
does not directly address this issue. One study mentioned in the Report, a telephone 
survey of adult computer users conducted in March 2000 by Harris Interactive for 
Business Week, found that 40% of computer users had heard of cookies and, of these, 
75% understood them to be “files downloaded onto your computer that track your 
online habits.” 9 The Harris poll also found that 55% of computer users while surfing 
online had seen a privacy notice or other explanation of how personal information 
collected by a Web site will be used. Of those who had seen a privacy notice, 35% 
always read it, 42% sometimes read it, 18% rarely read it, and only 4% never read 
it. 10 

Surveys that indicate that consumers are increasingly concerned about online pri- 
vacy are not evidence that consumers are knowledgeable about the information 
gathering practices of Web sites. Simply stated, once again the FTC is presenting 
misleading interpretations of opinion survey results, including the AARP survey. 

The AARP report shows that the majority (54%) of older Americans who use the 
Internet make purchases online A 1 Three out of four of these online purchasers de- 
scribe themselves as either very or somewhat concerned about the privacy of the in- 
formation, yet they make purchases. 12 This confirms my sense that consumers who 
express concerns about privacy in the abstract find that their concerns are out- 
weighed in practice by the convenience and other benefits of shopping online. 

The Privacy Report, relying only on the press release and not the full AARP Re- 
port, cited the press release as support for the proposition that “many consumers 
who have never made an online purchase identify privacy concerns as a key reason 
for their inaction.” 13 In fact, the AARP study itself does not permit any conclusions 
to be drawn about the degree to which privacy concerns or any other reason influ- 
enced consumers’ decisions not to purchase online. 

Instead, the study used an open-ended question followed by probing to determine 
why those respondents who stated that they never purchased over the Internet have 
not made such purchases). 14 The resulting tabulation of reasons offered by con- 
sumers in response shows only how frequently these consumers identified particular 
reasons for not purchasing, not whether a particular reason was “key” to their deci- 
sion not to purchase. Of the Internet users who have never made an online pur- 
chase, 43% “simply are either not interested in online shopping (28%) or do not like 
online shopping (15%).” 15 Another 20% indicated that they like to shop and/or ex- 
amine products in person. Twenty-four percent cited “concerns about privacy” and 
an additional 6% stated they were concerned about “safety of payment.” 16 

Question 4. As you know, the Better Business Bureau and other companies have on- 
line “seals” for which Web sites can apply if the site believes it meets the privacy 
standards of those seal programs. The FTC Report states that only 8% of the Ran- 
dom Sample of sites and 45% of the Most Popular sites in the survey display a pri- 
vacy seal. Could each of you comment on these seal programs and their influence 
on the Internet industry and its privacy practices? 

Answer. The “seal programs” are a good idea. However, the fact that a company 
does not use a seal program does not mean that it has unsatisfactory privacy poli- 
cies and practices. No conclusions should be drawn from not belonging to a seal pro- 


8 Id. 

9 Business Week Online, Business Week I Harris Poll: A Growing Threat (March 2000), avail- 
able at <http:l / www.businessweek.com/ 2000 1 0012 / b3673010.htm>. Interestingly, of those com- 
puter users that are aware of cookies, many set their computers to reject them, either always 
(21%) or sometimes (21%), while an even larger group either never (43%) or only rarely (10%) 
did so. 

10 Id. 

11 AARP National Survey on Consumer Preparedness and E-Commerce: A Survey of Computer 

Users Age 45 and Over (“AARP Report”) at 32, 62 (March 2000), available at <http://re- 
search.aarp.org/consume/e-commerce l.html>. 

12 Id. at 54. 

13 Privacy Report at 2 n.I5. 

14 AARP Report at 64. 

15 Id. at 34. 

16 Id. A variety of other reasons are also identified in the AARP Report, but only reasons men- 
tioned by at least 3% of those surveyed are reported. 
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gram. Seal programs are but one of many practices that can be used to give con- 
sumers confidence. Companies with good business practices that satisfy consumers 
accomplish that confidence-building without necessarily having to employ seal pro- 
grams. 

I disagree with the majority’s conclusion that seal programs have yet to establish 
a significant presence on the Web. As I mentioned in my dissent from the Privacy 
Report, seal programs are not the only enforcement mechanism that backs up self- 
regulation). 17 In any event, 45% of the most popular sites — the ones that attract the 
greatest number of individual visitors — use a privacy seal, and that is not an insig- 
nificant presence by any stretch of the imagination. 


Question 5. Several Internet companies claim that privacy policies will “kill the 
goose that laid the golden egg” by being too burdensome on this fledgling industry. 
The FTC report references concerns of FTC staff and the Advisory Committee on 
Online Access and Security that some of these recommendations to protect con- 
sumer privacy should not be overly burdensome to the company. Do you have any 
further guidelines on what is “overly burdensome” for the Committee? 

Answer. I do not know what privacy policies will be “overly burdensome,” al- 
though I suspect that mandating Choice, Access, and Security may be burdensome 
for many small Internet companies, as well as for larger companies whose business 
models rely on the sale or use of consumer information to offset the costs of pro- 
viding benefits and services to consumers. No one, at the FTC or elsewhere, has 
made an assessment that answers your question. This was my sharpest disagree- 
ment with the majority’s legislative recommendation in the Privacy Report. 18 It is 
critical to look at the costs and burdens that proposed legislation might impose be- 
fore imposing them, and it is just as critical to realistically assess the likely benefits 
of such legislation. 

Regulations have a long history of not accomplishing their original, well-intended 
purposes, and unintended adverse consequences are a well known, oft-occurring fact 
of life. No one at the FTC has made a cost-benefit analysis of either the legislative/ 
regulatory approach or the industry self regulation approach. 

In its response to this question, the majority basically says, as it did in the Pri- 
vacy Report that, regardless of the costs of legislatively imposed privacy require- 
ments, Congress should impose them anyway, and we will work out the problems 
later. This could have a chilling effect on the New Economy, and the damage could 
be difficult to repair. 

Please let me know if I can provide additional information on this important mat- 
ter. 


Sincerely, 


Orson Swindle 


Center for Democracy and Technology 

Washington, DC, September 8, 2000 

Hon. John McCain, 

Chairman, 

Senate Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Dear Chairman McCain, 

Thank you again for inviting the Center for Democracy and Technology (CDT) to 
testify at the May 25, 2000 oversight hearing on Internet privacy. We are happy 
to answer the Committee’s additional question on CDT’s view of current practices 
in Internet advertising. 

The ability to personalize and customize content for the individual is one of the 
main features drawing a vast number of individuals and businesses to the Internet. 
Individuals can be empowered by this personalization. For example, tailoring infor- 
mation to a person’s needs could help a citizen more easily find details about their 
local elections or a consumer could aggregate advertisements in order to compare 
prices. In both of these cases, some sort of personal information or preference data 
may be needed. All of these and other similar activities should be encouraged, but 
in each case the companies providing the personalization service must make deci- 
sions about how they plan to protect the individual’s privacy in the process. Too 
often, CDT has seen common Internet business practices that surreptitiously collect 


17 Privacy Report, Dissenting Statement of Commissioner Orson Swindle at 9-10. 
18 Id. at 21-24. 
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information. These practices should not be blamed on a particular technology, but 
on how tracking technologies are utilized. 

Simply put, individuals should be told when decisions are being made about them. 
CDT is not a business organization and therefore we cannot offer a comparison 
or analysis of the effectiveness of a particular business or marketing plan, but we 
can offer an assessment of ways to personalize while protecting privacy. Despite the 
polls showing that as many of 96% of Americans are concerned about privacy, many 
companies still do not take privacy into account or purposely ignore privacy when 
creating new business models. These companies are left to defend bad practices that 
could have been avoided at an earlier stage if privacy had been a consideration. 

The good news is that the tide has begun to turn. Everyday CDT meets with com- 
panies that want to make sure that they are protecting privacy or have created new 
privacy enhancing technologies that put users in control. Two members of the CDT 
staff have recently written a short article entitled “Your Place or Mine: Privacy Con- 
cerns and Solutions for Client and Server Side Storage of Personal Information”* 
detailing some of the legal and technical concerns that business should take into 
consideration when making decisions about how to personalize. I have also included 
a recent law review article with a broader overview.* 

I would be happy to answer any remaining questions that you may have. Please 
feel free to contact me. 

Sincerely, 


Jerry Berman, 
Executive Director. 


cc: Senator Max Cleland 


Association of National Advertisers, Inc. 

Washington, DC, June 12, 2000 

Hon. John McCain, 

Chairman, 

Committee on Commerce, Science, and Transportation, 

United States Senate 
Washington, D.C. 

Dear Mr. Chairman: 

The Association of National Advertisers (ANA) commends you for holding the May 
25th hearing on Internet privacy issues and the FTC’s report on the most recent 
privacy “sweep.” We continue to believe that the most effective way to protect pri- 
vacy in the online environment is through a combination of strong industry self-reg- 
ulation, consumer empowerment and strong FTC enforcement under existing legal 
authority. While much more remains to be done, we believe that industry self-regu- 
lation has made substantial progress in the past few years. Also, the FTC has been 
an active, effective “cop on the beat” in this area. Therefore, ANA believes it would 
be counterproductive and premature for Congress to adopt broad privacy legislation 
at this point. 

We would appreciate it if you would include these comments in the official record 
for the May 25, 2000 hearing. 

In last year’s “report card” to Congress on the state of online privacy protection, 
the FTC stated: “The Commission believes that self-regulation is the least intrusive 
and most efficient means to ensure fair information practices online, given the rap- 
idly evolving nature of the Internet and computer technology.” We agreed then and 
strongly believe now that those sentiments continue to be correct. 

The most recent FTC survey found significant progress in the number of sites that 
posted privacy policies, 88% of a random sample and 100% of the most popular sites. 
This is truly a major improvement from the FTC’s first sweep in 1998, when only 
14% of Web sites had any disclosure about privacy policies. 

We agree with you that the privacy disclosures on many Web sites are too long 
and complex. We have urged our member companies to take another look at their 
notices to make sure that, to the maximum extent possible, the disclosures are clear 
and conspicuous and in language that ordinary consumers can understand. 

According to the FTC report, only 20% of the busiest commercial sites implement 
all four of the fair information principles of notice, choice, access and security. We 
believe that the 20% finding must be placed in the proper context. 

While most sites have policies on notice and choice, many are still developing poli- 
cies on the complex issues of access and security. These issues are very challenging, 


* The information referred to has been retained in the Committee files. 
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as demonstrated by the report of the Commission’s Advisory Committee on Online 
Access and Security (ACOAS). Even the FTC admits in its report that it has not 
been able to establish clear standards on how to implement these policies. Yet the 
FTC’s report graded down Web sites for not fully addressing access and security. 

Everyone agrees on the concepts of access and security, but these issues are the 
true Gordian Knot of privacy. Implementing these concepts is a difficult and com- 
plex process. Providing consumers with broad access to information, without ade- 
quate protections, poses potential severe security risks. Overly stringent security 
precautions can make access very difficult. 

Effective privacy protection is more than a numbers game. Even if 100% of Web 
sites provided easy access to information, without stringent security precautions, 
100% access may in fact diminish rather than enhance consumer privacy. It is thus 
not surprising that while most Web sites address notice and choice, many are still 
struggling with how best to address access and security. The online community is 
nevertheless committed to addressing these areas in a timely and effective manner. 

Though groups such as the Online Privacy Alliance (OPA), ANA and others in the 
business community have reached out to encourage all commercial Web sites to post 
privacy policies. There are now three major privacy seal programs in operation and 
numerous software programs available in the marketplace. Several tools are avail- 
able that allow consumers to surf online completely anonymously. New technological 
solutions such as P3P are closer to implementation. A number of major marketers 
have refused to place advertising on Web sites that do not have strong privacy poli- 
cies. 

These and other self-regulatory efforts can respond more quickly to changes in the 
marketplace than an overly restrictive regulatory regime. We must be careful not 
to impose regulations that would impede the growth of the Internet, rather than en- 
hance it. 

While more must be done, we believe self-regulation is working and becoming 
stronger. ANA, several of our member companies and other industry groups are 
committed to taking major steps to accelerate these efforts. These steps will include 
improving privacy policies and making them more user-friendly, further develop- 
ment of technological tools to empower consumers to protect themselves, and a 
broad consumer education program. 

As you know, the FTC already has broad power to regulate the online market- 
place under section 5 of the FTC Act. We believe that this authority, coupled with 
consumer education programs and enhanced technological tools, is the most effective 
and flexible approach to the rapidly changing online environment. Since the Inter- 
net is a global medium, there are real, practical limitations to the reach of national 
legislation and regulation. Therefore, effective self-regulation and consumer em- 
powerment become more important in this environment. 

We remain committed to working with you to protect the privacy of online con- 
sumers. However, we believe that broad privacy legislation at this point would be 
premature and counterproductive. 

Thank you for your consideration of these views. Please feel free to contact me 
if you have any questions. 

Sincerely, 


Daniel L. Jaffe, 
Executive Vice President. 


Prepared Statement of Hon. Robert G. Torricelli, U.S. Senator from New 

Jersey 

Mr. Chairman and Members of the Committee, I am honored to have the oppor- 
tunity to address online privacy, an issue that is of growing concern to the millions 
of Internet users all across the country and the world. It is estimated that over 100 
million Americans have the ability to access the Internet. The rise in the use of the 
Internet has led to concerns regarding the privacy of personal information trans- 
mitted online, particularly, as more people use the Internet for transmitting sen- 
sitive financial and medical information and for shopping purposes. While some 
argue that given the Internet’s global reach and constantly changing technology, in- 
dustry self-regulation would best protect privacy, others advocate for strong legisla- 
tive and regulatory protections. And, still others, such as the witnesses here before 
us today, recommend a multilayered protection consisting of self-regulatory efforts 
supplemented by legislation authorizing regulatory oversight. Today’s hearing is an 
important way for Congress to gather the information necessary to thoughtfully con- 
sider the range of issues involved in the online privacy debate and to evaluate the 
proper way to address those issues. 
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An Internet users’ life is “virtually transparent.” 1 This is in part due to the num- 
ber of companies that fail to provide consumers with full disclosure regarding how 
the company may use personal information transmitted online. As the Federal 
Trade Commission’s (FTC) May 2000 report “Privacy Online: Fair Information Prac- 
tices in the Electronic Marketplace” reveals, only forty-one percent of Web sites in 
the random sample and sixty percent of the most popular sites provide the most 
critical of fair information practice: notice and choice. 2 The notice that is provided 
is often densely worded and at times even misleading. 

Even more troubling are the number of companies allowing online marketers to 
place third-party cookies on their Web sites. Without our consent or knowledge, pro- 
grams known as “cookies” monitor and collect information regarding our Web brows- 
ing habits. Personal data is also extracted directly by Web sites whenever we trans- 
mit the information required to purchase a product or surf the Internet for a specific 
topic. The FTC survey found that fifty-seven percent of sites in the random sample 
and seventy-eight percent of the most heavily trafficked sites allow the placement 
of cookies by third parties and that the majority of these cookies are placed by ad- 
vertising companies engaging in online profiling. The report further revealed that 
the majority of Web sites that allow third-party cookies do not disclose that fact to 
consumers. 3 

Our actions will be monitored and our information will be shared unless we spe- 
cifically request that a company not do so, a process known as “opting out” Opting 
out requires a user to directly contact a site to decline disclosure. Online industries 
argue that by posting opt out features, they are, in fact, affording consumers a 
choice to protect their privacy. However, as a means of securing the right to online 
privacy, opting out is a burdensome solution that has proven itself largely ineffec- 
tive. Opt out procedures are often confusing and obscured within a Web site. They 
are therefore rarely exercised. One leading marketing company that tracks eighty 
million online consumer profiles has revealed that it receives an average of only 
twelve opt out requests per day. 

This situation, while unsettling, is not inherently menacing. Marketing, both on- 
line and off, is a common and often beneficial practice occurring daily in other forms 
such as mailings and telephone surveys. Businesses benefit from online marketing 
through improved efficiencies resulting from a more detailed analysis of their mar- 
kets. Many consumers also desire the information marketing provides about prod- 
ucts and services that reflect their preferences and budgets. A healthy balance can 
and must be established that allows consumers and commerce to reap the benefits 
of these practices but in a way that is mindful of the public right to privacy. This 
balance has yet to be achieved. Unlike individuals choosing to partake in surveys 
and questionnaires, those of us participating in online marketing do so unwittingly 
and involuntarily, unable to hang up a phone or throw away an envelope. 

Disturbing examples such as these point to an immediate need to provide con- 
sumers with direct control over outside access to their online activities. Consumers 
must be given the right of consent prior to any disclosure of personal information. 
They must be afforded a clear choice to “opt in” to disclosure programs rather than 
the need to opt out of them. They must also be given clear and accessible knowledge 
of the extent of their privacy so that any choice they make will be fair and informed. 
Web sites must accept the burden of persuading consumers of the benefits and de- 
sirability of information sharing. If companies are successful in convincing con- 
sumers that these benefits are clear and substantial, consumers will readily agree 
to participate. 

Early this year, with these provisions in mind, I introduced S. 2063, the Secure 
Online Communication Enforcement Act of 2000. This legislation was intended to 
establish a national dialogue to educate Americans about the challenges of cyber- 
space. In doing so, I hope it will intensify public participation in an emerging debate 
to determine the relationship of the Internet to our society and the role of our gov- 
ernment in determining that relationship. This dialogue is also vital towards pre- 
serving and strengthening public confidence in the viability of the Internet as a se- 
cure medium for commerce and information exchange. Consumers are currently 
spending over fifty billion a year at over eleven million dot-coms. 4 As “The Industry 
Standard” recently argued, customer relationships are the new currency of the 
Internet. And, if e-commerce companies place a greater value on the customer data 


1 Jeffrey Rosen, Why Internet Privacy Matters, The New York Times Magazine, April 30, 2000, 
at 52. 

2 FTC, Privacy Online: A Report to Congress, May, 2000 at 13. 

3 Id. at 21. 

4 Saul Klein and Tara Lemmey, Customer Relationships: The Net’s New Currency, The Indus- 
try Standard, Mar. 13, 2000, at 275. 
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they collect rather than on the customer relationships they are building, they risk 
squandering the enormous potential of the Internet, thereby relegating it to a sec- 
ondary role in the American economy . 5 

The SECURE Act is mindful of the need to involve Congress in the issue of online 
privacy because of the industry’s demonstrated inability to provide adequate and en- 
forceable self-regulation. It is also mindful of the need to limit our involvement and 
shield the Internet from a system of rigid government regulations that would stifle 
its dynamic expansion and development. We must remember that during America’s 
great economic revolutions, government has functioned best as a silent partner with 
industry, fostering growth, but also molding it in a socially responsible manner. 
Therefore, instead of regulating, the SECURE Act expands online freedom. It em- 
powers consumers with the ability to protect themselves and make the informed 
choices that will render this legislation self-enforcing. It prevents a patchwork of 
state laws from miring the global growth of online commerce. And, it avoids the ne- 
cessity to resort to extensive FTC oversight. 

The SECURE Act is a beginning of a national dialogue on online privacy and does 
not represent an end product in addressing this issue. Senator’s Bums, Wyden, 
Leahy, Hatch and now Hollings have also introduced important contributions to the 
debate. I look forward to working with them in reaching a consensus on the most 
appropriate legislative response to the privacy issues raised by the new technologies 
of the information age. Although I believe that entrepreneurial and innovative prac- 
tices online are best served by minimizing the government’s regulatory authority 
over the Internet, the FTC’s report is pivotal to the development of appropriate pub- 
lic policy regarding online privacy. I am pleased that the FTC has officially acknowl- 
edged the need for online privacy standards with a statutory basis. 

Again, I thank the Chairman for giving me the opportunity to participate in this 
hearing. I look forward to working with the Committee to reach conclusions that are 
balanced and fair and that give Americans a greater sense of confidence in the pri- 
vacy of their personal information. 


o 



